OpenBSD <> Commercial VPNs

classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|

OpenBSD <> Commercial VPNs

Jack J. Woehr
Googled and not found much on connecting OpenBSD to proprietary VPN offerings.

I looked at OpenVPN which conceptually resembles Fortinet but doesn't seem to have any way to connect to Fortinet SSL VPN.

Any pointers or tips?


--
Jack J. Woehr     # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Janne Johansson-3
Try ipsec, I hear some of the commercial offerings almost manage that too.


2015-10-10 19:21 GMT+02:00 Jack J. Woehr <[hidden email]>:

> Googled and not found much on connecting OpenBSD to proprietary VPN
> offerings.
>
> I looked at OpenVPN which conceptually resembles Fortinet but doesn't seem
> to have any way to connect to Fortinet SSL VPN.
>
> Any pointers or tips?
>
>
> --
> Jack J. Woehr     # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. -
> Carl Sagan
>
>


--
May the most significant bit of your life be positive.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Jack J. Woehr
Janne Johansson wrote:
> Try ipsec, I hear some of the commercial offerings almost manage that too.
I just can't figure out how to connect to VPN's I don't have any control of.

I've found articles where the user had admin control of the Cisco or Fortinet device.

I just need to log into nets I don't administer. I'm forced off OpenBSD in the workplace when I the connection is thru a
VPN.

I don't understand the minutiae of VPN's enough to figure this out and I find no useful examples on the web.

--
Jack J. Woehr     # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Joel Wirāmu Pauling
You could try using Linux Binary emulation layer to connect using the cisco
vpnc client. For the old proprietary Cisco IPSec implementation:

http://www.openbsd.org/papers/slack2k11-on_compat_linux.pdf

I've recently been using softether for my personal VPN's it's on Github I
haven't tried to compile it for openBSD - but it's not going to help
connect to random vendor Firewalls.

I am unsure if Fortinet have a linux client, I imagine they must.

OpenVPN works just fine under openbsd.

-Joel


On 10 October 2015 at 15:04, Jack J. Woehr <[hidden email]> wrote:

> Janne Johansson wrote:
>
>> Try ipsec, I hear some of the commercial offerings almost manage that too.
>>
> I just can't figure out how to connect to VPN's I don't have any control
> of.
>
> I've found articles where the user had admin control of the Cisco or
> Fortinet device.
>
> I just need to log into nets I don't administer. I'm forced off OpenBSD in
> the workplace when I the connection is thru a VPN.
>
> I don't understand the minutiae of VPN's enough to figure this out and I
> find no useful examples on the web.
>
>
> --
> Jack J. Woehr     # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. -
> Carl Sagan

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Steven Shockley
In reply to this post by Jack J. Woehr
On 10/10/2015 1:21 PM, Jack J. Woehr wrote:
> I looked at OpenVPN which conceptually resembles Fortinet but doesn't
> seem to have any way to connect to Fortinet SSL VPN.

A quick search found https://github.com/adrienverge/openfortivpn, but I
haven't tested it.  That looks like it replaces the Fortinet VPN client.
  Otherwise you could do ipsec, but I think that requires the firewall
admin to configure something specifically for your connection.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Jack J. Woehr
Steve Shockley wrote:
>
> A quick search found https://github.com/adrienverge/openfortivpn, but I haven't tested it.

Thank you for the pointer. I didn't find that. What was your search string?

It's clearly the right product. However. I've been trying to build it for an hour now. It requires Much Work for
OpenBSD, it's somewhat wed to the Linux stack.

--
Jack J. Woehr     # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Jack J. Woehr
In reply to this post by Joel Wirāmu Pauling
Joel Wirāmu Pauling wrote:
> I am unsure if Fortinet have a linux client, I imagine they must.

I think just Windows and Mac, thanks.

--
Jack J. Woehr     # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl
Sagan

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Jack J. Woehr
In reply to this post by Jack J. Woehr
Jack J. Woehr wrote:
> Steve Shockley wrote:
>>
>> A quick search found https://github.com/adrienverge/openfortivpn, but I haven't tested it.
>
> It's clearly the right product. However. I've been trying to build it for an hour now. It requires Much Work for
> OpenBSD, it's somewhat wed to the Linux stack.
>

I'm sort of stuck at the moment on these macros where "rt" is an instance of struct rtentry :

#define route_dest(route) \
         (((struct sockaddr_in *) &(route)->rt_dst)->sin_addr)
#define route_mask(route) \
         (((struct sockaddr_in *) &(route)->rt_genmask)->sin_addr)
#define route_gtw(route) \
         (((struct sockaddr_in *) &(route)->rt_gateway)->sin_addr)
#define route_iface(route) \
         ((route)->rt_dev)

If anyone can help me translate this to OpenBSD ... :)

--
Jack J. Woehr     # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Jack J. Woehr
Jack J. Woehr wrote:
>
> I'm sort of stuck at the moment on these macros where "rt" is an instance of struct rtentry :
>
> #define route_dest(route) \

I meant "route" is an instance of struct rtentry.


--
Jack J. Woehr     # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Pedro Tender-2
In reply to this post by Jack J. Woehr
They also have a Linux client.
On Oct 11, 2015 12:59 AM, "Jack J. Woehr" <[hidden email]> wrote:

> Joel Wirāmu Pauling wrote:
> > I am unsure if Fortinet have a linux client, I imagine they must.
>
> I think just Windows and Mac, thanks.
>
> --
> Jack J. Woehr     # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. - Carl
> Sagan

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Jiri B-2
In reply to this post by Joel Wirāmu Pauling
On Sat, Oct 10, 2015 at 03:35:02PM -0700, Joel Wir�?mu Pauling wrote:

> You could try using Linux Binary emulation layer to connect using the cisco
> vpnc client. For the old proprietary Cisco IPSec implementation:
>
> http://www.openbsd.org/papers/slack2k11-on_compat_linux.pdf
>
> I've recently been using softether for my personal VPN's it's on Github I
> haven't tried to compile it for openBSD - but it's not going to help
> connect to random vendor Firewalls.
>
> I am unsure if Fortinet have a linux client, I imagine they must.
>
> OpenVPN works just fine under openbsd.

compat_linux works on i386 only and Cisco's AnyConnect SSL VPN and
Juniper SSL VPN which is now known as Pulse Connect Secure is supported
by openconnect which is in ports.

j.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Jack J. Woehr
In reply to this post by Pedro Tender-2
Pedro Tender wrote:
>
> They also have a Linux client.
>
>

I've looked for it, any tips where it might be found?


--
Jack J. Woehr     # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Pedro Tender-2
In the fortinet firmware (yes, firmware...)  downloads iirc.
On Oct 11, 2015 3:55 PM, "Jack J. Woehr" <[hidden email]> wrote:

> Pedro Tender wrote:
>
>>
>> They also have a Linux client.
>>
>>
>>
> I've looked for it, any tips where it might be found?
>
>
> --
> Jack J. Woehr     # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. -
> Carl Sagan

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Jack J. Woehr
In reply to this post by Jiri B-2
Jiri B wrote:
> c Cisco's AnyConnect SSL VPN and Juniper SSL VPN which is now known as Pulse Connect Secure is supported by
> openconnect which is in ports.

I found vpnc in ports/net and that almost works.

It connects and shows it is adding the correct routes that I would expect.

And then no traffic comes through. 'route show' looks correct but nothing seems to be going back and forth.

--
Jack J. Woehr     # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Dimitris Papastamos
On Sun, Oct 11, 2015 at 12:47:42PM -0600, Jack J. Woehr wrote:
> Jiri B wrote:
> >c Cisco's AnyConnect SSL VPN and Juniper SSL VPN which is now known as
> >Pulse Connect Secure is supported by openconnect which is in ports.
>
> I found vpnc in ports/net and that almost works.
>
> It connects and shows it is adding the correct routes that I would expect.
>
> And then no traffic comes through. 'route show' looks correct but nothing seems to be going back and forth.

I use vpnc regularly on -current without any special configuration and it
works fine with my network.

My config is as follows:

IPSec gateway vpn.example.net
IPSec ID FOO
IPSec obfuscated secret BAR
Xauth username BAZ
DPD idle timeout (our side) 0

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

securityvsconvenience
In reply to this post by Jack J. Woehr
Has anyone succesfully created a VPN with OpenBSD v5.7 or 5.8? That is the
next step in my architecture to create a "more" secure environment. There
are very few options on the market for that unfortunately.

On Sun, Oct 11, 2015 at 11:47 AM, Jack J. Woehr <[hidden email]> wrote:

> Jiri B wrote:
>
>> c Cisco's AnyConnect SSL VPN and Juniper SSL VPN which is now known as
>> Pulse Connect Secure is supported by openconnect which is in ports.
>>
>
> I found vpnc in ports/net and that almost works.
>
> It connects and shows it is adding the correct routes that I would expect.
>
> And then no traffic comes through. 'route show' looks correct but nothing
> seems to be going back and forth.
>
>
> --
> Jack J. Woehr     # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. -
> Carl Sagan
>
>


--
danny nguyen
linkedIn <https://www.linkedin.com/pub/danny-n/7/b63/379>

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Jack J. Woehr
In reply to this post by Dimitris Papastamos
Dimitris Papastamos wrote:

> I use vpnc regularly on -current without any special configuration and it
> works fine with my network.
>
> My config is as follows:
>
> IPSec gateway vpn.example.net
> IPSec ID FOO
> IPSec obfuscated secret BAR
> Xauth username BAZ
> DPD idle timeout (our side) 0
>
Yeah, that's mine too. Seems to work. But no traffic goes through.

--
Jack J. Woehr     # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Theo de Raadt
In reply to this post by securityvsconvenience
> Has anyone succesfully created a VPN with OpenBSD v5.7 or 5.8?

Yes, people do it all the time.

Please -- what KIND of VPN are you asking about.

Is conversational precision that difficult?  There are more than two
handfuls of technologies that create something which is considered "a VPN".

As a result, this conversation about VPN's is super low quality;
there is no point implying OpenBSD is weak at doing these things,
it is the inexact people walking around acting lost...

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Gregor Best-2
In reply to this post by securityvsconvenience
On Sun, Oct 11, 2015 at 12:08:00PM -0700, Danny Nguyen wrote:
> Has anyone succesfully created a VPN with OpenBSD v5.7 or 5.8?
> [...]

Yes. As of right now, I have

        $ ps aux | grep openvpn | wc -l
                8
        $ ipsecctl -sa | wc -l
                8

and a tinc tunnel. Tinc is not in ports, but there's a WIP port I sent
to ports@ a year or two ago.

It really depends on what you mean by "a vpn" because there's a lot of
technologies to do that. In my experience, openvpn is the easiest choice
if you want everything to work automagically on almost every platform
there is. Tinc is nice if you don't want a central node as a single
point of failure and IPsec is awesome on OpenBSD because it's extremely
easy to set up and in base.

> There are very few options on the market for that unfortunately.
> [...]

See above. There's also PPTP and what not.

--
        Gregor

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD <> Commercial VPNs

Jack J. Woehr
In reply to this post by Jack J. Woehr
Dimitris Papastamos wrote:

>> Dimitris Papastamos wrote:
>>> On Sun, Oct 11, 2015 at 01:06:58PM -0600, Jack J. Woehr wrote:
>>> I am not sure what's wrong. I guess you see traffic leaving your external interface but not getting any replies?
>>

I've got it, thanks! I forgot to do the sysctls necessary to let the packets thru:

sysctl net.inet.esp.enable=0
sysctl net.inet.esp.udpencap=0

Thanks for your help, and to everyone who tried to help this confused soul :)

--
Jack J. Woehr     # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

12