Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Free SSL VPN Solutions? 70

poison1701 asks: "I am in the process of evaluating SSL VPN solutions to comply with the security regulations that are imposed on my company. So far the only free SSL VPN product I have come across is SSL Explorer Community Edition which looks like a very good product, but the free version lacks some of the features that I want (like the full IPSec client). What other SSL VPN solutions are out there? "
This discussion has been archived. No new comments can be posted.

Free SSL VPN Solutions?

Comments Filter:
  • Openvpn (Score:5, Informative)

    by brokenin2 ( 103006 ) * on Tuesday September 26, 2006 @05:50PM (#16207515) Homepage
    Openvpn... Free, full of features.. Open source.. reliable.. Most everything you'll want, even including a windows client and server (never used under windows though).
    • Re: (Score:2, Informative)

      by fc104 ( 954434 )
      I second that. I have used it under linux and windows and it has been extremely reliable. The openvpn configuration files work seamlessly between both platforms.
    • Re:Openvpn (Score:5, Informative)

      by GloomE ( 695185 ) on Tuesday September 26, 2006 @06:03PM (#16207689)
      Yah
      I'm using it with both Linux and Windows.
      Tunnels and point-to-point.

      I used to use IPSec, a lot of hassle, takes too long to bring the tunnel back up if it goes down, would go down and not come back up without manual intervention.

      OpenVPN however has been perfectly reliable for the 6 weeks I've been using it so far.
      The Windows GUI version from http://openvpn.se/ [openvpn.se] seems to work simply enough for many Windows users.
      • by Bert64 ( 520050 )
        I second that, i've been using OpenVPN at home for nearly 2 years now without a hitch, and within the last 6 months i've introduced it at work, it's gone down very well and it's universally preferred over the old proprietary vpn it replaced.

        Another issue with ipsec btw, is that because of the strange protocols it uses for setting up the connection, it often fails to work on some cheaper consumer grade DSL routers.
        • Some routers simply don't route anything but TCP (and sometimes not even that) correctly. Putting up a VPN will teach you which ones. I have one situation where the "calling" router does not recieve UDP correctly, but the (same-brand) server router does.

          I've switched OpenVPN to TCP and she's a all work, but I could switch just one side of the link to TCP and she's all still work.

          If you only want to forward one or a few TCP ports, you can use ssh (-L and -R options). Do take care to have the thing be paranoi
      • Re: Mac too (Score:3, Informative)

        by palmucci ( 534299 )
        Works great on Macs too. See http://www.tunnelblick.net/ [tunnelblick.net] for a mac gui.
    • by Deorus ( 811828 )
      never used under windows though

      The client works wonderfully under Linux, FreeBSD, OSX, and Windows, at the very least. And yes, OpenVPN is the way to go for all your VPN needs.

    • Re:Openvpn (Score:4, Informative)

      by imemyself ( 757318 ) on Tuesday September 26, 2006 @09:03PM (#16209571)
      I couldn't agree more. I love OpenVPN, especially the fact that its so versatile. It can go through NAT without any problems, and it can be tunneled over SSH, or sent through an HTTP proxy. It can do username/password authentication, or use certificates, or both. It can have per-client configurations for assigning IP addresses. Its freaking awesome. It makes me wonder why the hell anyone would mess with PPTP or IPSec stuff, especially since NAT is almost everywhere these days.
      • Re: (Score:3, Interesting)

        by tji ( 74570 )
        > It makes me wonder why the hell anyone would mess with PPTP or IPSec stuff, especially since NAT is almost everywhere these days.

        I use IPSec because I can buy cheap wireless routers that have hardware accelerated IPSec, and IPSec clients are widely available (built into MacOS X, easily installable in Linux).

        IPSec does work with NAT. IPSec AH (authenticate only, not encrypt) mode doesn't, but nobody uses that and many devices don't support it. IPSec ESP works fine through NAT.
        • by Bert64 ( 520050 )
          ESP works fine, providing your cheap router recognises the protocol and routes it... A lot of cheaper consumer level routing devices will only route tcp/udp/icmp.
          Also, some of those cheap wireless routers actually run linux, so it's not unrealistic to modify them to support openvpn encryption in hardware instead.

          Here's a thought tho, many wireless cards support hardware encryption acceleration, how easy would it be to make OpenSSL support these cards?
          • by tji ( 74570 )
            > Also, some of those cheap wireless routers actually run linux, so it's not unrealistic to modify them to support openvpn encryption in hardware instead.

            Yes, good point. There is an open source firmware for the popular WRV54G that supports OpenVPN or PPTP. But, then I have to install OpenVPN + a tun/tap kernel driver on my PowerBook. Not a huge deal, but third pary kernel modules scare me a bit. Instead, I picked up a surprisingly powerful router/firewall/802.11g/IPSec VPN device on eBay for $50 a
    • Re: (Score:2, Informative)

      The only problem with OpenVPN for this case is that the poster specifically says they would like to be able to use IPSec, which OpenVPN clearly states it does not. Quote from the OpenVPN's front page: "There are three major families of VPN implementations in wide usage today: SSL, IPSec, and PPTP. OpenVPN is an SSL VPN and as such is not compatible with IPSec, L2TP, or PPTP. The IPSec protocol is designed to be implemented as a modification to the IP stack in kernel space, and therefore each operating sy
    • OpenVPN is a godsend. I use it in a variety of contexts - to link my home network with my work network (with appropriate firewalling, of course), for remote access to my home network or work networks from anywhere on the internet, and as a secure replacement for WEP/WPA on my wifi access point. I have used it on both Windows and Linux. It's rock solid stable, fast, easy to set up, and works beautifully. Even on Windows it seems to have no trouble. The Windows GUI is nice, too - just a tiny little management
  • Regulations? (Score:1, Insightful)

    by !ramirez ( 106823 )
    If you're in a regulated environment, odds are that you're making enough money that spending a little money on some professional consulting time (or perhaps the software itself) for this problem is a far better solution than Asking Slashdot(tm).

    Having said that, there are plenty of roll-your-own SSL VPN solutions out there - many of which are open source. I'd recommend starting with Google.
    • Redundant: Repeated or duplicated unnecessarily.

      Seeing as how this was the 2nd post in the thread, it's kinda hard for it to be duplicating something when his point is entirely different than the first post.

      -Rick
      • Re: (Score:1, Insightful)

        by Anonymous Coward
        Actually, with most Ask Slashdot submissions, there is a significant (if not a majority) of comments which simply rant about how irrelevant whatever the question is. They forward them off to Google or a professional.

        While on-topic, not flamebait and not trolls (although I'd call them trolls), these posts contribute absolutely nothing to the discussion. Because they are almost the same post regardless of the question... "Well, since (blah) and since (blah), you shouldn't ask Slashdot. Why don't you talk t
        • by RingDev ( 879105 )
          Ringdev's Razor: "When there are two possible explanations for a given situation, one that requires a large amount of knowledge, skill, and luck, and another that requires gross incompetence; go with the incompetence explanation."

          -Rick
    • by bit01 ( 644603 )

      If you're in a regulated environment, odds are that you're making enough money that spending a little money on some professional consulting time (or perhaps the software itself) for this problem is a far better solution than Asking Slashdot(tm).

      Who said he's not doing both? The two options are not mutually exclusive as you imply.

      ---

      Open source software is everything that closed source software is. Plus the source is available.

  • openvpn.org. We've been using it for both linux and windows clients. The windows client has a nifty little systray app. There is not much configuration needed, and it can work with passwords or keys. If you haven't dealt with PKI already and want to use certs that will be a learning curve with any vpn that uses certs.
    It has been very stable for us, we run the server on an OpenBSD box. The documentation is pretty good, and you can make your own windows installer with your configurations preloaded. One minor
  • Open SSL? (Score:2, Insightful)

    by numbsafari ( 139135 )
    The question is lame. Personally, it sounds like someone trying to get traffic driven to their site than a genuine Ask Slashdot.

    I'm a bit confused, too, about why IPSec is a requirement if you are looking to use an SSL VPN?

    In the meantime, just check out openssl.org.
    • Re: (Score:2, Informative)

      by schwaang ( 667808 )
      I'm a bit confused, too, about why IPSec is a requirement if you are looking to use an SSL VPN?


      My thought exactly. Isn't one of SSL's advantages in not *needing* the infrastructure that IPSec requires (support in your kernel, router, etc.)?
    • by Alioth ( 221270 )
      Possibly because the person asking the question is a noob to VPNs in general, and is a little confused about it.
  • dupe! (Score:2, Insightful)

    by Anonymous Coward
    Gee, if only there were a way to search previous articles. Oh, wait! There is!

    http://ask.slashdot.org/article.pl?sid=06/04/25/00 7206 [slashdot.org]

    http://ask.slashdot.org/article.pl?sid=06/04/13/17 16227 [slashdot.org]

    http://ask.slashdot.org/article.pl?sid=05/01/03/16 17208 [slashdot.org]
  • What do you want. (Score:5, Informative)

    by DA-MAN ( 17442 ) on Tuesday September 26, 2006 @06:10PM (#16207771) Homepage
    It looks like you don't understand the terminology properly, and it will be hard to make suggestions.

    SSL/TLS is a Transport Layer. It does not mean web based. That said, here are your options for types of vpn's that typical end users usually connect to:

    1) Full IP Access: Traditional VPN System. May put you on diff VLAN, but gives you an internal IP (or split tunnel) with access to internal resources directly. This will include OpenVPN, Hamachi, Typical IPSec VPN's, etc.
    2) Web based VPN: Usually encapsulated over https (ssl), this creates a pretty frontend for typical tasks. IE File browser for Samba/Win2000/2003 Servers, VNC w/ Redirection, etc
    3) Remote Machine Access: This includes NX, Remote Desktop, ssh and vnc. These give you direct access to a specific machine, which has access to other machines internally.

    It seems like when you say SSL, you mean web based. And when you say IPSec, you mean Full IP Access. If this is correct, then you'll need to use two open source products.

    I'd highly recommend using SSL Explorer for web based access, and OpenVPN for IP based access. If you don't mind paying, some of the low end Netscreens from Juniper will do both beautifully.

    Either way, please familiarize yourself with the technologies before you go talking to vendors, unless you're looking to get ripped off.
    • It seems like when you say SSL, you mean web based. And when you say IPSec, you mean Full IP Access.
      I didn't see where he said web. SSL doesn't mean web based. OpenVPN [openvpn.net] uses SSL but it's not compatible with IPSec clients.
      • by DA-MAN ( 17442 ) on Tuesday September 26, 2006 @10:19PM (#16210081) Homepage
        I didn't see where he said web. SSL doesn't mean web based.

        He pointed to SSL Explorer, which is a Web Based VPN. But, as a web based vpn, it doesn't give you a full internal ip. My belief was that that by pointing to a web based vpn, called SSL Explorer, he thought SSL based VPN meant Web Based VPN.

        You're right, he never said Web Based directly, but his use of the technology, the stuff he pointed to as examples, etc. lead me to believe that we need to get the terminology down before going forward.
      • Normally when people want SSL VPNs, it's because they want to support browser-only users, without installing a client. If you're going to install a client anyway, you might as well use IPSEC. (Therefore, I find TFA's complaint that SSL-explorer doesn't have a full IPSEC client rather confusing - if you're using IPSEC, you don't need SSL, but the author did say he's looking for help....)

        CLientless SSL-based VPNs are really convenient - some of them are genuinely clientless, and some of them have Java-glue

    • I'm not aware of any of the Juniper FW/VPN products that do SSL VPN (the Juniper Neoteris does, and it does it excellently and gracefully, but it's not a firewall and it won't do IPSec all by it's lonesome); all of their FW/VPN offerings (including the low-end for-soho-use fw's) do IPSec and L2TP+IPSec.
  • But Windows 2K+, Linux, and most Unicies have full IPSec built in that will do 3DES encrypted VPN with SSL Cert authentication. Might want to check out what you have already. I know from experience it can be a b*tch to get cross-platform working correctly, but it certainly can be done.
    • I know from experience it can be a b*tch to get cross-platform working correctly

      I know from experience that IPSec can be a bitch to get working correctly *at* *all*!

      There are so many things wrong with it I don't know where to begin...

      Under Linux the log entries are virtually encrypted; its extremely difficult to work out what they mean and whats wrong.

      Then theres the protocols; if you need to run several IPSec VPNs through ADSL modems things will get tough. IPSec doesn't just use the normal TCP/UDP protoco
      • by amorsen ( 7485 )
        Then theres the protocols; if you need to run several IPSec VPNs through ADSL modems things will get tough. IPSec doesn't just use the normal TCP/UDP protocols oh no, it has *special* protocols...

        I must admit I have had no trouble with IPSEC through ADSL modems. IPSEC through NAT used to be a big problem, in particular if you wanted several tunnels through the same NAT device. These days everything supports NAT-T, and that's just UDP on port 4500.
  • OpenVPN (Score:2, Informative)

    by _pi-away ( 308135 )
    It sounds like what you want is OpenVPN. I am assuming you do not want one of those crappy web based solutions that ruined the "SSL VPN" for a while in late 90s/early 2000s. OpenVPN is very solid, fairly easy to configure, and the windows client is very good.

    If you have a little scripting skill, you can even make deploying it a total breeze assuming you have a secure https site that your employees can access.

    1) Setup OpenVPN server (works on windows, but I recommend OpenBSD for security reasons).
    2) Create
  • Hello there. We have an SSL-Explorer Enterprise Edition box. The product is pretty good, and to be honest it's really, really cheap - we compared it to other vendors and I'd say it's at least 10 times cheaper for a basic deployment.
  • Juniper (Score:5, Informative)

    by TheCabal ( 215908 ) on Tuesday September 26, 2006 @06:39PM (#16208141) Journal
    Juniper Neoteris. Rock solid SSL VPN. Doesn't cost all that much, has robust features and granular access control. Comes with an ActiveX or Java client so you're not limiting yourself to just Windows users being able to use it.
    • Re: (Score:2, Informative)

      by curiosity ( 152527 )
      We use Neoteris boxes, but have recently switched a number of our VPN apps to our FortiGate firewalls. The Neoteris are much more mature and have a lot of nice functionality like single sign-on, but the cost and licensing is FAR better on the FortiGate. You can buy an FG-60 for peanuts, and there are no per-user license fees for the SSL VPN function. Has an ActiveX client for full access, or can proxy for web, ftp, telnet, etc.

      Built in AV scanning, IDS, etc is nice too.

      If you're supporting an enterprise
    • Agreed, they're great. If you have a lot of users, licenses can be a bit pricey though.
  • by Anonymous Coward
    If you are a small company, listen to Security Now! early episodes http://grc.com/securitynow [grc.com] that cover VPNs. They spent about 6 episodes on VPNs.

    If you don't need free and have a few thousand users to support, combining RSA/SecurID, ACE, and Nortel products like Shastas or Contivity Extranet Switches are excellent. If you don't need the flexibility of a Shasta, the CES line is under $20k to support 2k users. http://www.nortel.com/solutions/smb/business_solut ions/comparisons/contivity_1000.html [nortel.com]
    http://pro [nortel.com]
  • IPCOP, either with the built-in ipsec vpn or with the open vpn add-on. I use the built in ipsec vpn with certificates. The open VPN add-on is easier to configure/use but works trough SSl (thats not even bad as SSL has been proven to be secure all this years).If you play your cards rigth you can end up with a gateway that provides:
    - stateful firewall
    - ipsec(built-in)/SSL (open vpn add-on) unlimited VPNs
    - proxy/url filtering (add-ons)
    - IDS
    - all kind of traffic monitoring/bloking modules (add-ons)

    So yo
  • I'm not sure if it's what you want, but VNC [realvnc.com] can tunnel through ssh. The combination works for me, anyway.

    • I'm not sure if it's what you want, but VNC can tunnel through ssh. The combination works for me, anyway.
      For that matter, anything that can be locked down to a specific port or range of ports (i.e., VNC works because you can nail it down to something like 5901-5910, depending on the number of displays, but FTP won't because of its tendancy to use random high-numbered ports) will work through ssh. So http, smb/cifs, nfs, etc all seem to work. Requires a bit more work for some exotic protocols, though -- yo
  • by Anonymous Coward on Tuesday September 26, 2006 @08:27PM (#16209253)
    "I am tasked with evaluating SSL VPN solutions to comply with the security regulations that are imposed on my company. So far I am lost. Please do my job for me as I am not sure what this google thing is everyone keeps mentioning. k thx bye"
    • by Xenna ( 37238 )
      Well, yes of course the poster is a lazy ass, but it's very useful to have this kind of discussion once in a while to get a nice overview of the currently possible solutions. I know the answer to many 'Ask Slashdot' postings, but I still read those because I'm interested in OTHER PEOPLE's ANSWERS.

      So, just keep asking those stupid questions, please...

      X.
  • Now, maybe I'm a bit jaded. But seeing this kind of drivel on /. rather irritates me. The poster could have asked "What Open Source SSL VPN solutions are available?" but instead he asked for a "free" as in cash solution. Excuse me for being one of the millions of people world wide who feed their families by working hard to provide a professional solution to you.

    If you want to go open source, that's fine, go open source. But don't sit here and beg for handouts while insulting those of us who make it our life
    • I see nothing in the post that indicates he's looking for free "as in beer"! All he said was "free". Does he have to capitalize it before you're willing to read a request for freedom in there? I mean, I don't know if he meant free-as-in-speech or -as-in-beer, but I certainly don't see anything that would justify leaping the conclusion that he meant -as-in-beer.

      As for "those of us who make it our life's work"...get over it! I started writing sort routines in assembler in the late seventies, but I'm not b
    • I'm not bothered by it (in spite of working for an ISP that sells services using several different vendors' equipment) - first of all, if you want supported commercial solutions, there are a number of companies that sell them, and you can go find them on Network World or Google or the other usual sources. (Getting reviews that tell you which products don't actually work very well may be harder than getting vendor-literature and PR puff pieces, but you can still get the basic facts.) And there are service
  • by Slartibartfast ( 3395 ) * <ken&jots,org> on Tuesday September 26, 2006 @09:27PM (#16209755) Homepage Journal
    First, let me just say that OpenVPN is the coolest VPN solution, ever. There's a GUI for Windows users, it can tunnel through ANYTHING (NTLM authentication through a proxy server? No problem!), it's incredibly flexible, it has features out the wazoo, it has good documentation and -- get THIS -- the logs actually contain stuff that helps you fix problems. "Certificate file /etc/openvpn/keys/foo.crt not found." Stuff like that. However, apparently (since OpenVPN -also- uses UDP by default, thus eliminating TCP-over-TCP cascading issues), there's more to OpenVPN than meets my eye; on a BBS I'm a member of (telnet://whip.isca.uiowa.edu), one of the more network-savvy folks had some commentary:

    OpenVPN is the only "SSL VPN" that uses UDP, yes. They invented a protocol that
    uses SSL over UDP for authentication, and until they did, SSL had never been
    implemented over UDP. There's now an IETF Internet Draft for DTLS, which is
    another SSL over UDP protocol specification, but no one else uses it yet,
    AFAIK, and it's still just an Internet Draft, not an RFC yet. The others
    implemented their SSL VPNs over TCP for two reasons:

    1) There wasn't a standard SSL over UDP specification to implement.
    2) SSL over UDP doesn't look like HTTPS, which is half the appeal of these
          products, because looking like HTTPS is often what gets them through
          a firewall on their end when a conventional VPN client can't get through.

    Note that OpenVPN doesn't transport its data stream over SSL. They use IPSec
    ESP over UDP for that, the same as standard IPSec NAT-T does. They just use
    SSL over UDP for session authentication and management--in other words, as
    an IKE replacement, as far as I can tell. In that respect, there's really
    not much to differentiate it from IPSec NAT-T.
  • I have been testing ssl explorer on windows and linux and the community edition works quite well. http://3sp.com/showSslExplorerCommunity.do?referre r=sslexplorer/ [3sp.com]
  • OK. This isn't free. But, for a business, it is pretty close.

    http://www.tomsnetworking.com/2006/09/26/netgear_s sl312_ssl_vpn_gateway_review/ [tomsnetworking.com]

    This is a small hardware box available for under $400 that looks like it may do what you want.

    I do admit that there are free software options available, but those require a server somewhere, and probably a bit of trial-and-error and time to get it running. This hardware box, on the other hand, looks like it would be set up in less than an hour.

    Just an option...
  • I have been using OpenVPN for three years with no problems at the small business I work for. I set up the two owners with access, along with myself. We can all access the work LAN from our home PCs or our laptops. We map network drives, access the intranet, check IMAP email, use VNC, and do just about anything else we would do at the office. I also set OpenVPN up for a friend's small business. He is a road warrior and uses OpenVPN from the road with no problem to use Quickbooks, print to the office, ch
  • Like many others, I highly reccomend using OpenVPN. It has clients for Linux, *BSD, OS X, and Windows. It's highly configurable and can do just about whatever you want. It also works over proxy servers.

    Another thing you could try is using SSH. It's possible to use it as a VPN, but you have to use something like PPTP with it. I'm not sure about Windows support, though. If you use corkscrew, an SSH VPN could also work over a proxy.

    Clusty and Scroogle are your friends. (fuck google's data retention poli
  • I use OpenVPN all the time, both on windows and linux platforms (openvpn on openwrt rawks!)

    The OpenVPN windows client creates a tun/tap device, which looks like just another network device under windows.

    If you had a site to site openvpn-based vpn up and running, connecting two subnets, you could easily use windows' IPSEC implementation between two microsoft boxes, across the VPN - they would never know it was there.

    I *think* you could do the same thing, even if the openvpn package is running direct

Overflow on /dev/null, please empty the bit bucket.

Working...