Free SSL VPN Solutions?

poison1701 asks: "I am in the process of evaluating SSL VPN solutions to comply with the security regulations that are imposed on my company. So far the only free SSL VPN product I have come across is SSL Explorer Community Edition which looks like a very good product, but the free version lacks some of the features that I want (like the full IPSec client). What other SSL VPN solutions are out there? "

Openvpn

[brokenin2]

Openvpn... Free, full of features.. Open source.. reliable.. Most everything you'll want, even including a windows client and server (never used under windows though).

Re:

[fc104]

I second that. I have used it under linux and windows and it has been extremely reliable. The openvpn configuration files work seamlessly between both platforms.

Re:Openvpn

[GloomE]

Yah
I'm using it with both Linux and Windows.
Tunnels and point-to-point.

I used to use IPSec, a lot of hassle, takes too long to bring the tunnel back up if it goes down, would go down and not come back up without manual intervention.

OpenVPN however has been perfectly reliable for the 6 weeks I've been using it so far.
The Windows GUI version from http://openvpn.se/ [openvpn.se] seems to work simply enough for many Windows users.

Re:

[Bert64]

I second that, i've been using OpenVPN at home for nearly 2 years now without a hitch, and within the last 6 months i've introduced it at work, it's gone down very well and it's universally preferred over the old proprietary vpn it replaced.

Another issue with ipsec btw, is that because of the strange protocols it uses for setting up the connection, it often fails to work on some cheaper consumer grade DSL routers.

This gets any UDP link

[leonbrooks]

Some routers simply don't route anything but TCP (and sometimes not even that) correctly. Putting up a VPN will teach you which ones. I have one situation where the "calling" router does not recieve UDP correctly, but the (same-brand) server router does.

I've switched OpenVPN to TCP and she's a all work, but I could switch just one side of the link to TCP and she's all still work.

If you only want to forward one or a few TCP ports, you can use ssh (-L and -R options). Do take care to have the thing be paranoi

Re: Mac too

[palmucci]

Works great on Macs too. See http://www.tunnelblick.net/ [tunnelblick.net] for a mac gui.

Re:

[Deorus]

never used under windows though

The client works wonderfully under Linux, FreeBSD, OSX, and Windows, at the very least. And yes, OpenVPN is the way to go for all your VPN needs.

Re:Openvpn

[imemyself]

I couldn't agree more. I love OpenVPN, especially the fact that its so versatile. It can go through NAT without any problems, and it can be tunneled over SSH, or sent through an HTTP proxy. It can do username/password authentication, or use certificates, or both. It can have per-client configurations for assigning IP addresses. Its freaking awesome. It makes me wonder why the hell anyone would mess with PPTP or IPSec stuff, especially since NAT is almost everywhere these days.

Re:

[tji]

> It makes me wonder why the hell anyone would mess with PPTP or IPSec stuff, especially since NAT is almost everywhere these days.

I use IPSec because I can buy cheap wireless routers that have hardware accelerated IPSec, and IPSec clients are widely available (built into MacOS X, easily installable in Linux).

IPSec does work with NAT. IPSec AH (authenticate only, not encrypt) mode doesn't, but nobody uses that and many devices don't support it. IPSec ESP works fine through NAT.

Re:

[Bert64]

ESP works fine, providing your cheap router recognises the protocol and routes it... A lot of cheaper consumer level routing devices will only route tcp/udp/icmp.
Also, some of those cheap wireless routers actually run linux, so it's not unrealistic to modify them to support openvpn encryption in hardware instead.

Here's a thought tho, many wireless cards support hardware encryption acceleration, how easy would it be to make OpenSSL support these cards?

Re:

[tji]

> Also, some of those cheap wireless routers actually run linux, so it's not unrealistic to modify them to support openvpn encryption in hardware instead.

Yes, good point. There is an open source firmware for the popular WRV54G that supports OpenVPN or PPTP. But, then I have to install OpenVPN + a tun/tap kernel driver on my PowerBook. Not a huge deal, but third pary kernel modules scare me a bit. Instead, I picked up a surprisingly powerful router/firewall/802.11g/IPSec VPN device on eBay for $50 a

Re:

[chrismsummers]

The only problem with OpenVPN for this case is that the poster specifically says they would like to be able to use IPSec, which OpenVPN clearly states it does not. Quote from the OpenVPN's front page: "There are three major families of VPN implementations in wide usage today: SSL, IPSec, and PPTP. OpenVPN is an SSL VPN and as such is not compatible with IPSec, L2TP, or PPTP. The IPSec protocol is designed to be implemented as a modification to the IP stack in kernel space, and therefore each operating sy

Same here: OpenVPN rocks

[pestie]

OpenVPN is a godsend. I use it in a variety of contexts - to link my home network with my work network (with appropriate firewalling, of course), for remote access to my home network or work networks from anywhere on the internet, and as a secure replacement for WEP/WPA on my wifi access point. I have used it on both Windows and Linux. It's rock solid stable, fast, easy to set up, and works beautifully. Even on Windows it seems to have no trouble. The Windows GUI is nice, too - just a tiny little management

Regulations?

[!ramirez]

If you're in a regulated environment, odds are that you're making enough money that spending a little money on some professional consulting time (or perhaps the software itself) for this problem is a far better solution than Asking Slashdot(tm).

Having said that, there are plenty of roll-your-own SSL VPN solutions out there - many of which are open source. I'd recommend starting with Google.

Not to mod

[RingDev]

Redundant: Repeated or duplicated unnecessarily.

Seeing as how this was the 2nd post in the thread, it's kinda hard for it to be duplicating something when his point is entirely different than the first post.

-Rick

Re:

[Anonymous Coward]

Actually, with most Ask Slashdot submissions, there is a significant (if not a majority) of comments which simply rant about how irrelevant whatever the question is. They forward them off to Google or a professional.

While on-topic, not flamebait and not trolls (although I'd call them trolls), these posts contribute absolutely nothing to the discussion. Because they are almost the same post regardless of the question... "Well, since (blah) and since (blah), you shouldn't ask Slashdot. Why don't you talk t

Re:

[RingDev]

Ringdev's Razor: "When there are two possible explanations for a given situation, one that requires a large amount of knowledge, skill, and luck, and another that requires gross incompetence; go with the incompetence explanation."

-Rick

Re:

[bit01]

If you're in a regulated environment, odds are that you're making enough money that spending a little money on some professional consulting time (or perhaps the software itself) for this problem is a far better solution than Asking Slashdot(tm).

Who said he's not doing both? The two options are not mutually exclusive as you imply.

---

Open source software is everything that closed source software is. Plus the source is available.

Another vote for openvpn

[cblack]

openvpn.org. We've been using it for both linux and windows clients. The windows client has a nifty little systray app. There is not much configuration needed, and it can work with passwords or keys. If you haven't dealt with PKI already and want to use certs that will be a learning curve with any vpn that uses certs.
It has been very stable for us, we run the server on an OpenBSD box. The documentation is pretty good, and you can make your own windows installer with your configurations preloaded. One minor

Open SSL?

[numbsafari]

The question is lame. Personally, it sounds like someone trying to get traffic driven to their site than a genuine Ask Slashdot.

I'm a bit confused, too, about why IPSec is a requirement if you are looking to use an SSL VPN?

In the meantime, just check out openssl.org.

Re:

[schwaang]

I'm a bit confused, too, about why IPSec is a requirement if you are looking to use an SSL VPN?

My thought exactly. Isn't one of SSL's advantages in not *needing* the infrastructure that IPSec requires (support in your kernel, router, etc.)?

Re:

[Alioth]

Possibly because the person asking the question is a noob to VPNs in general, and is a little confused about it.

Google is your friend.

[lethalp1mpslapper]

http://openvpn.net/ [openvpn.net]

dupe!

[Anonymous Coward]

Gee, if only there were a way to search previous articles. Oh, wait! There is!

http://ask.slashdot.org/article.pl?sid=06/04/25/00 7206 [slashdot.org]

http://ask.slashdot.org/article.pl?sid=06/04/13/17 16227 [slashdot.org]

http://ask.slashdot.org/article.pl?sid=05/01/03/16 17208 [slashdot.org]

Google says...

[fostware]

http://openvpn.net/ [openvpn.net]
http://sourceforge.net/projects/sslexplorer [sourceforge.net]

*sigh*

Re:

[fostware]

Hmmph! The amount of effort the question deserved...

(That and OpenVPN is a higher on Google than SSL-Explorer :S )

What do you want.

[DA-MAN]

It looks like you don't understand the terminology properly, and it will be hard to make suggestions.

SSL/TLS is a Transport Layer. It does not mean web based. That said, here are your options for types of vpn's that typical end users usually connect to:

1) Full IP Access: Traditional VPN System. May put you on diff VLAN, but gives you an internal IP (or split tunnel) with access to internal resources directly. This will include OpenVPN, Hamachi, Typical IPSec VPN's, etc.
2) Web based VPN: Usually encapsulated over https (ssl), this creates a pretty frontend for typical tasks. IE File browser for Samba/Win2000/2003 Servers, VNC w/ Redirection, etc
3) Remote Machine Access: This includes NX, Remote Desktop, ssh and vnc. These give you direct access to a specific machine, which has access to other machines internally.

It seems like when you say SSL, you mean web based. And when you say IPSec, you mean Full IP Access. If this is correct, then you'll need to use two open source products.

I'd highly recommend using SSL Explorer for web based access, and OpenVPN for IP based access. If you don't mind paying, some of the low end Netscreens from Juniper will do both beautifully.

Either way, please familiarize yourself with the technologies before you go talking to vendors, unless you're looking to get ripped off.

Re:

[Matt Perry]

It seems like when you say SSL, you mean web based. And when you say IPSec, you mean Full IP Access.

I didn't see where he said web. SSL doesn't mean web based. OpenVPN [openvpn.net] uses SSL but it's not compatible with IPSec clients.

Re:What do you want.

[DA-MAN]

I didn't see where he said web. SSL doesn't mean web based.

He pointed to SSL Explorer, which is a Web Based VPN. But, as a web based vpn, it doesn't give you a full internal ip. My belief was that that by pointing to a web based vpn, called SSL Explorer, he thought SSL based VPN meant Web Based VPN.

You're right, he never said Web Based directly, but his use of the technology, the stuff he pointed to as examples, etc. lead me to believe that we need to get the terminology down before going forward.

Why users want SSL VPNs - Clientless browser-only

[billstewart]

Normally when people want SSL VPNs, it's because they want to support browser-only users, without installing a client. If you're going to install a client anyway, you might as well use IPSEC. (Therefore, I find TFA's complaint that SSL-explorer doesn't have a full IPSEC client rather confusing - if you're using IPSEC, you don't need SSL, but the author did say he's looking for help....)

CLientless SSL-based VPNs are really convenient - some of them are genuinely clientless, and some of them have Java-glue

Re:

[discogravy]

I'm not aware of any of the Juniper FW/VPN products that do SSL VPN (the Juniper Neoteris does, and it does it excellently and gracefully, but it's not a firewall and it won't do IPSec all by it's lonesome); all of their FW/VPN offerings (including the low-end for-soho-use fw's) do IPSec and L2TP+IPSec.

Don't know what your specific requirements are...

[SirCyn]

But Windows 2K+, Linux, and most Unicies have full IPSec built in that will do 3DES encrypted VPN with SSL Cert authentication. Might want to check out what you have already. I know from experience it can be a b*tch to get cross-platform working correctly, but it certainly can be done.

Re:Don't know what your specific requirements are.

[myowntrueself]

I know from experience it can be a b*tch to get cross-platform working correctly

I know from experience that IPSec can be a bitch to get working correctly *at* *all*!

There are so many things wrong with it I don't know where to begin...

Under Linux the log entries are virtually encrypted; its extremely difficult to work out what they mean and whats wrong.

Then theres the protocols; if you need to run several IPSec VPNs through ADSL modems things will get tough. IPSec doesn't just use the normal TCP/UDP protoco

Re:

[myowntrueself]

Huh? I've never seen this. Do you have some link with information about this?

Nope just extensive experience as at about a year and a half ago.

In all the modems I tested performance was pretty adequate, mostly indistinguishable until 2 or 3 IPSec vpns came up.

The best of them -- USR -- would slow down very badly.

The worst of them -- D-link if I recall -- would repeatedly reboot when 2 VPNs had a lot of traffic or if 3 VPNs came up at once. Modem go down, modem come up. Really annoying.

Sorry I can't give you

Re:

[amorsen]

Then theres the protocols; if you need to run several IPSec VPNs through ADSL modems things will get tough. IPSec doesn't just use the normal TCP/UDP protocols oh no, it has *special* protocols...

I must admit I have had no trouble with IPSEC through ADSL modems. IPSEC through NAT used to be a big problem, in particular if you wanted several tunnels through the same NAT device. These days everything supports NAT-T, and that's just UDP on port 4500.

Re:

[account_deleted]

Comment removed based on user account deletion

We use SSL-Explorer

[Gossi]

Hello there. We have an SSL-Explorer Enterprise Edition box. The product is pretty good, and to be honest it's really, really cheap - we compared it to other vendors and I'd say it's at least 10 times cheaper for a basic deployment.

Juniper

[TheCabal]

Juniper Neoteris. Rock solid SSL VPN. Doesn't cost all that much, has robust features and granular access control. Comes with an ActiveX or Java client so you're not limiting yourself to just Windows users being able to use it.

Re:

[curiosity]

We use Neoteris boxes, but have recently switched a number of our VPN apps to our FortiGate firewalls. The Neoteris are much more mature and have a lot of nice functionality like single sign-on, but the cost and licensing is FAR better on the FortiGate. You can buy an FG-60 for peanuts, and there are no per-user license fees for the SSL VPN function. Has an ActiveX client for full access, or can proxy for web, ftp, telnet, etc.

Built in AV scanning, IDS, etc is nice too.

If you're supporting an enterprise

Re:

[discogravy]

Agreed, they're great. If you have a lot of users, licenses can be a bit pricey though.

Well, free limits it ...

[Anonymous Coward]

If you are a small company, listen to Security Now! early episodes http://grc.com/securitynow [grc.com] that cover VPNs. They spent about 6 episodes on VPNs.

If you don't need free and have a few thousand users to support, combining RSA/SecurID, ACE, and Nortel products like Shastas or Contivity Extranet Switches are excellent. If you don't need the flexibility of a Shasta, the CES line is under $20k to support 2k users. http://www.nortel.com/solutions/smb/business_solut ions/comparisons/contivity_1000.html [nortel.com]
http://pro [nortel.com]

IPCOP

[brenddie]

IPCOP, either with the built-in ipsec vpn or with the open vpn add-on. I use the built in ipsec vpn with certificates. The open VPN add-on is easier to configure/use but works trough SSl (thats not even bad as SSL has been proven to be secure all this years).If you play your cards rigth you can end up with a gateway that provides:
- stateful firewall
- ipsec(built-in)/SSL (open vpn add-on) unlimited VPNs
- proxy/url filtering (add-ons)
- IDS
- all kind of traffic monitoring/bloking modules (add-ons)

So yo

RealVNC+ssh

[cgreuter]

I'm not sure if it's what you want, but VNC [realvnc.com] can tunnel through ssh. The combination works for me, anyway.

Re:almost ANYTHING+ssh

[morgan_greywolf]

I'm not sure if it's what you want, but VNC can tunnel through ssh. The combination works for me, anyway.
For that matter, anything that can be locked down to a specific port or range of ports (i.e., VNC works because you can nail it down to something like 5901-5910, depending on the number of displays, but FTP won't because of its tendancy to use random high-numbered ports) will work through ssh. So http, smb/cifs, nfs, etc all seem to work. Requires a bit more work for some exotic protocols, though -- yo

Dear Slashdot

[Anonymous Coward]

"I am tasked with evaluating SSL VPN solutions to comply with the security regulations that are imposed on my company. So far I am lost. Please do my job for me as I am not sure what this google thing is everyone keeps mentioning. k thx bye"

Re:

[Xenna]

Well, yes of course the poster is a lazy ass, but it's very useful to have this kind of discussion once in a while to get a nice overview of the currently possible solutions. I know the answer to many 'Ask Slashdot' postings, but I still read those because I'm interested in OTHER PEOPLE's ANSWERS.

So, just keep asking those stupid questions, please...

X.

Re:

[gordyf]

SSL isn't necessarily related to the web or HTTP. Other protocol can be (and are) tunneled over SSL. See also: SSL [wikipedia.org].

Whore

[RingDev]

Now, maybe I'm a bit jaded. But seeing this kind of drivel on /. rather irritates me. The poster could have asked "What Open Source SSL VPN solutions are available?" but instead he asked for a "free" as in cash solution. Excuse me for being one of the millions of people world wide who feed their families by working hard to provide a professional solution to you.

If you want to go open source, that's fine, go open source. But don't sit here and beg for handouts while insulting those of us who make it our life

where do you get "as in cash"?

[Xtifr]

I see nothing in the post that indicates he's looking for free "as in beer"! All he said was "free". Does he have to capitalize it before you're willing to read a request for freedom in there? I mean, I don't know if he meant free-as-in-speech or -as-in-beer, but I certainly don't see anything that would justify leaping the conclusion that he meant -as-in-beer.

As for "those of us who make it our life's work"...get over it! I started writing sort routines in assembler in the late seventies, but I'm not b

Free Beer vs. Commercial solutions

[billstewart]

I'm not bothered by it (in spite of working for an ISP that sells services using several different vendors' equipment) - first of all, if you want supported commercial solutions, there are a number of companies that sell them, and you can go find them on Network World or Google or the other usual sources. (Getting reviews that tell you which products don't actually work very well may be harder than getting vendor-literature and PR puff pieces, but you can still get the basic facts.) And there are service

OpenVPN -- what it is, and isn't.

[Slartibartfast]

First, let me just say that OpenVPN is the coolest VPN solution, ever. There's a GUI for Windows users, it can tunnel through ANYTHING (NTLM authentication through a proxy server? No problem!), it's incredibly flexible, it has features out the wazoo, it has good documentation and -- get THIS -- the logs actually contain stuff that helps you fix problems. "Certificate file /etc/openvpn/keys/foo.crt not found." Stuff like that. However, apparently (since OpenVPN -also- uses UDP by default, thus eliminating TCP-over-TCP cascading issues), there's more to OpenVPN than meets my eye; on a BBS I'm a member of (telnet://whip.isca.uiowa.edu), one of the more network-savvy folks had some commentary:

OpenVPN is the only "SSL VPN" that uses UDP, yes. They invented a protocol that
uses SSL over UDP for authentication, and until they did, SSL had never been
implemented over UDP. There's now an IETF Internet Draft for DTLS, which is
another SSL over UDP protocol specification, but no one else uses it yet,
AFAIK, and it's still just an Internet Draft, not an RFC yet. The others
implemented their SSL VPNs over TCP for two reasons:

1) There wasn't a standard SSL over UDP specification to implement.
2) SSL over UDP doesn't look like HTTPS, which is half the appeal of these
      products, because looking like HTTPS is often what gets them through
      a firewall on their end when a conventional VPN client can't get through.

Note that OpenVPN doesn't transport its data stream over SSL. They use IPSec
ESP over UDP for that, the same as standard IPSec NAT-T does. They just use
SSL over UDP for session authentication and management--in other words, as
an IKE replacement, as far as I can tell. In that respect, there's really
not much to differentiate it from IPSec NAT-T.

ssl explorer

[lotsofgadgets]

I have been testing ssl explorer on windows and linux and the community edition works quite well. http://3sp.com/showSslExplorerCommunity.do?referre r=sslexplorer/ [3sp.com]

Netgear?

[harrkev]

OK. This isn't free. But, for a business, it is pretty close.

http://www.tomsnetworking.com/2006/09/26/netgear_s sl312_ssl_vpn_gateway_review/ [tomsnetworking.com]

This is a small hardware box available for under $400 that looks like it may do what you want.

I do admit that there are free software options available, but those require a server somewhere, and probably a bit of trial-and-error and time to get it running. This hardware box, on the other hand, looks like it would be set up in less than an hour.

Just an option...

OpenVPN For Sure

[stan_freedom]

I have been using OpenVPN for three years with no problems at the small business I work for. I set up the two owners with access, along with myself. We can all access the work LAN from our home PCs or our laptops. We map network drives, access the intranet, check IMAP email, use VNC, and do just about anything else we would do at the office. I also set OpenVPN up for a friend's small business. He is a road warrior and uses OpenVPN from the road with no problem to use Quickbooks, print to the office, ch

OpenVPN or SSH

[Shawn is an Asshole]

Like many others, I highly reccomend using OpenVPN. It has clients for Linux, *BSD, OS X, and Windows. It's highly configurable and can do just about whatever you want. It also works over proxy servers.

Another thing you could try is using SSH. It's possible to use it as a VPN, but you have to use something like PPTP with it. I'm not sure about Windows support, though. If you use corkscrew, an SSH VPN could also work over a proxy.

Clusty and Scroogle are your friends. (fuck google's data retention poli

Openvpn with IPSEC

[wtom]

I use OpenVPN all the time, both on windows and linux platforms (openvpn on openwrt rawks!)

The OpenVPN windows client creates a tun/tap device, which looks like just another network device under windows.

If you had a site to site openvpn-based vpn up and running, connecting two subnets, you could easily use windows' IPSEC implementation between two microsoft boxes, across the VPN - they would never know it was there.

I *think* you could do the same thing, even if the openvpn package is running direct