Re: [OT] Question about vpn and athorization between OpenBSD and Windows clients
On Wednesday 07 September 2005 5:58 pm, you wrote: > --On 07 September 2005 17:30 -0400, Dimitri Yioulos wrote: > > This takes the thread even OT, is the "stealth" mechanism built in, > > or is there a special directive to be added? > > It uses a pre-shared key, so it doesn't happen by default with TLS > (read about tls-auth in doco to learn how to enable it), but it does > happen by default with the 'standard' keying which just uses PSKs. > > All that happens is OpenVPN doesn't respond unless a SHA1 HMAC can be > verified. Many thanks!
Re: [OT] Question about vpn and athorization between OpenBSD and Windows clients
--On 07 September 2005 17:30 -0400, Dimitri Yioulos wrote: This takes the thread even OT, is the "stealth" mechanism built in, or is there a special directive to be added? It uses a pre-shared key, so it doesn't happen by default with TLS (read about tls-auth in doco to learn how to enable it), but it does happen by default with the 'standard' keying which just uses PSKs. All that happens is OpenVPN doesn't respond unless a SHA1 HMAC can be verified.
Re: [OT] Question about vpn and athorization between OpenBSD and Windows clients
Simon, This takes the thread even OT, is the "stealth" mechanism built in, or is there a special directive to be added? Thanks. Dimitri On Wednesday 07 September 2005 4:59 pm, you wrote: > Why not give OpenVPN a try, works well with OpenBSD and Windows XP and > has various options for password protection along with a nice 'stealth' > mechanism preventing it from appearing to none authorised clients. > > http://openvpn.net > > Tomas wrote: > >Hello, > > > >Please, can someone give me a clue how to setup a vpn with authentication. > >I've set up a vpn between Windows clients and OpenBSD server, everything > >works fine. But since most of our clients are using ADSL lines and their > >IP's aren't static I had to allow the whole world to connect to my vpn > >server and my internal network. There are a lot of PCs with Windows XP > > with firewalls enabled in my internal network, so when a client comes > > with a different IP each time he can't connect to Windos PCs because > > their IPs aren't listed in windows firewalls. So I decided to somehow > > authenticate those users and give them one of the internal IPs. But I > > don't even have a clue how to do that. First thing I thought off was > > authpf, but it only works with ssh clients. So maybe can someone help me?
Re: [OT] Question about vpn and athorization between OpenBSD and Windows clients
Why not give OpenVPN a try, works well with OpenBSD and Windows XP and has various options for password protection along with a nice 'stealth' mechanism preventing it from appearing to none authorised clients. http://openvpn.net Tomas wrote: Hello, Please, can someone give me a clue how to setup a vpn with authentication. I've set up a vpn between Windows clients and OpenBSD server, everything works fine. But since most of our clients are using ADSL lines and their IP's aren't static I had to allow the whole world to connect to my vpn server and my internal network. There are a lot of PCs with Windows XP with firewalls enabled in my internal network, so when a client comes with a different IP each time he can't connect to Windos PCs because their IPs aren't listed in windows firewalls. So I decided to somehow authenticate those users and give them one of the internal IPs. But I don't even have a clue how to do that. First thing I thought off was authpf, but it only works with ssh clients. So maybe can someone help me?
Re: [OT] Question about vpn and athorization between OpenBSD and Windows clients
You had the right idea with authpf. What I have done in the past is add the VPN pass rule to the authpf rule... Therefore, people have to ssh in, then the VPN can be established. You could do something similar. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomas Sent: Wednesday, September 07, 2005 05:08 To: misc@openbsd.org Subject: [OT] Question about vpn and athorization between OpenBSD and Windows clients Hello, Please, can someone give me a clue how to setup a vpn with authentication. I've set up a vpn between Windows clients and OpenBSD server, everything works fine. But since most of our clients are using ADSL lines and their IP's aren't static I had to allow the whole world to connect to my vpn server and my internal network. There are a lot of PCs with Windows XP with firewalls enabled in my internal network, so when a client comes with a different IP each time he can't connect to Windos PCs because their IPs aren't listed in windows firewalls. So I decided to somehow authenticate those users and give them one of the internal IPs. But I don't even have a clue how to do that. First thing I thought off was authpf, but it only works with ssh clients. So maybe can someone help me?
Re: [OT] Question about vpn and athorization between OpenBSD and Windows clients
To echo the other replies, I highly suggest OpenVPN as well. Both isakmpd and openvpn recommend using digital certs to control access. Openvpn also has the "auth-user-pass-verify" switch which calls a script/app to do additional authentication. Think poor-man's 2-phase authentication: have digital cert, know network authentication credentials. Furthermore, you can configure openvpn to dish out a static IP depending on the CN on the digital cert. -rpuckett On Wed, 2005-09-07 at 14:08 +0300, Tomas wrote: > Hello, > > Please, can someone give me a clue how to setup a vpn with authentication. > I've set up a vpn between Windows clients and OpenBSD server, everything > works fine. But since most of our clients are using ADSL lines and their > IP's aren't static I had to allow the whole world to connect to my vpn > server and my internal network. There are a lot of PCs with Windows XP with > firewalls enabled in my internal network, so when a client comes with a > different IP each time he can't connect to Windos PCs because their IPs > aren't listed in windows firewalls. So I decided to somehow authenticate > those users and give them one of the internal IPs. But I don't even have a > clue how to do that. First thing I thought off was authpf, but it only works > with ssh clients. So maybe can someone help me?
Re: [OT] Question about vpn and athorization between OpenBSD and Windows clients
--On 07 September 2005 14:08 +0300, Tomas wrote: Please, can someone give me a clue how to setup a vpn with authentication. I've set up a vpn between Windows clients and OpenBSD server, everything works fine. By itself 'vpn' can mean many things... tunnels over IPsec? PPTP? unencrypted GRE/GIF? OpenVPN? But since most of our clients are using ADSL lines and their IP's aren't static I had to allow the whole world to connect to my vpn server If you want to, you may be able to restrict based on the address space allocated to the provider (or the relevant RIR). RIR whois databases can help you identify the relevant address space. and my internal network. On internal machines, you only need to allow access to the tunneled addresses, not the dynamic endpoint addresses. Your two best choices are probably kernel IPsec (with isakmpd to establish SAs, possibly with X509 certs), or OpenVPN. OpenVPN is usually the easier setup, and it's quite straightforward to enable compression which can help a lot on slower lines (I'm not sure if this is possible with isakmpd despite a tantalising line in plus32.html - I think it needs ipsecadm-created ipsec flows). IPsec (especially with isakmpd) isn't exactly difficult to setup, but you'll need to grasp more terminology and basics first if you haven't already. It involves less third-party software on both sides, and being in-kernel I'd expect it to be higher-performing on a fast connection.
Re: [OT] Question about vpn and athorization between OpenBSD and Windows clients
try poptop. I've used it only in a most basic scenario, but it seemed to work well. it does VPN Windows-style (PPTP). --knitti
Re: [OT] Question about vpn and athorization between OpenBSD and Windows clients
On Wed, 7 Sep 2005 14:08:08 +0300, Tomas wrote: >Hello, > >Please, can someone give me a clue how to setup a vpn with authentication. >I've set up a vpn between Windows clients and OpenBSD server, everything >works fine. But since most of our clients are using ADSL lines and their >IP's aren't static I had to allow the whole world to connect to my vpn >server and my internal network. There are a lot of PCs with Windows XP with >firewalls enabled in my internal network, so when a client comes with a >different IP each time he can't connect to Windos PCs because their IPs >aren't listed in windows firewalls. So I decided to somehow authenticate >those users and give them one of the internal IPs. But I don't even have a >clue how to do that. First thing I thought off was authpf, but it only works >with ssh clients. So maybe can someone help me? > > I use OpwnVPN which works easily on connections that have only one end static. I even have a "permanent" tunnel working where one end is static and the other on a rabid dhcp cable TV connection. The reliability is quite amazing. I was prepared for lots of glitches or delays to re-establish but it wasn't so. There is a package. >From the land "down under": Australia. Do we look from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: [OT] Question about vpn and athorization between OpenBSD and Windows clients
I use openvpn, it uses PKI so only hosts with keys that you've signed will be able to access your vpn. I found an article (http://blog.innerewut.de/articles/2005/07/04/openvpn-2-0-on-openbsd) that helped me get it set up. openvpn also has client + server versions for windows, so it might be useful to you. Mike
Re: [OT] Question about vpn and athorization between OpenBSD and Windows clients
Try this: http://www.thegreenbow.com/vpn.html. works very very well with openbsd. Tomas wrote: Hello, Please, can someone give me a clue how to setup a vpn with authentication. I've set up a vpn between Windows clients and OpenBSD server, everything works fine. But since most of our clients are using ADSL lines and their IP's aren't static I had to allow the whole world to connect to my vpn server and my internal network. There are a lot of PCs with Windows XP with firewalls enabled in my internal network, so when a client comes with a different IP each time he can't connect to Windos PCs because their IPs aren't listed in windows firewalls. So I decided to somehow authenticate those users and give them one of the internal IPs. But I don't even have a clue how to do that. First thing I thought off was authpf, but it only works with ssh clients. So maybe can someone help me? -- CL Martinez carlopmart at gmail dot com