openconnect

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

openconnect

Hrvoje Popovski
Hi all,

does anyone use an openconnect server on openbsd and have guidelines on
how to configure it? i see that an openconnect server can use radius, so
it's interesting to me. Which client do you use to connect to the
openconnect server?

If there is something else that can use radius, i would like to know?

Tnx

Reply | Threaded
Open this post in threaded view
|

Re: openconnect

Stuart Henderson
On 2020-09-01, Hrvoje Popovski <[hidden email]> wrote:
> Hi all,
>
> does anyone use an openconnect server on openbsd and have guidelines on
> how to configure it? i see that an openconnect server can use radius, so
> it's interesting to me. Which client do you use to connect to the
> openconnect server?

It worked when I tested after porting ocserv/openconnect, but I'm not using
it in production. You should be able to connect to ocserv using either the
openconnect client or cisco anyconnect client.

> If there is something else that can use radius, i would like to know?

at least these:

- npppd (yeuch l2tp :)

- openvpn (there's a username/pw auth method using a helper script,
you can write something calling a radius client to check auth, also
yeuch openvpn :)

I did once see some code including radius support for iked but it
was tied up with a bunch of other changes and looked a bit complex
to separate. I don't recall whether it was just username/pw or if
it did full EAP.


Reply | Threaded
Open this post in threaded view
|

Re: openconnect

Tom Smyth
Hello All,

Drifting off topic on this one but when I saw OpenVPN
Openvpn performance on OpenBSD (with Tap Interfaces)  is less than one
would expect..
even turning off ciphers and auth... you can still get about 80-90mb/s on a
machine
that would forward about 3.5Gb/s - 5Gb/s
In doing a test with tap interfaces and a userland bridge (thanks Claudio)
to test where the bottleneck was
(incase it was the Tap interface was slow) it looked like OpenBSD Tap
interfaces were not
performance of the tap interfaces were about 10% slower than bridging
physical interfaces
To blame... as OpenVPN vpn say themselves it needs a rewrite and perhaps
the code  inefficiencies in OpenVPN
combined with the OpenBSD Mitigations limit performance.

sorry for drifting a little off topic...
Tom Smyth




On Tue, 1 Sep 2020 at 14:40, Stuart Henderson <[hidden email]> wrote:

> On 2020-09-01, Hrvoje Popovski <[hidden email]> wrote:
> > Hi all,
> >
> > does anyone use an openconnect server on openbsd and have guidelines on
> > how to configure it? i see that an openconnect server can use radius, so
> > it's interesting to me. Which client do you use to connect to the
> > openconnect server?
>
> It worked when I tested after porting ocserv/openconnect, but I'm not using
> it in production. You should be able to connect to ocserv using either the
> openconnect client or cisco anyconnect client.
>
> > If there is something else that can use radius, i would like to know?
>
> at least these:
>
> - npppd (yeuch l2tp :)
>
> - openvpn (there's a username/pw auth method using a helper script,
> you can write something calling a radius client to check auth, also
> yeuch openvpn :)
>
> I did once see some code including radius support for iked but it
> was tied up with a bunch of other changes and looked a bit complex
> to separate. I don't recall whether it was just username/pw or if
> it did full EAP.
>
>
>

--
Kindest regards,
Tom Smyth.
Reply | Threaded
Open this post in threaded view
|

Re: openconnect

Hrvoje Popovski
In reply to this post by Stuart Henderson
On 1.9.2020. 15:22, Stuart Henderson wrote:

> On 2020-09-01, Hrvoje Popovski <[hidden email]> wrote:
>> Hi all,
>>
>> does anyone use an openconnect server on openbsd and have guidelines on
>> how to configure it? i see that an openconnect server can use radius, so
>> it's interesting to me. Which client do you use to connect to the
>> openconnect server?
>
> It worked when I tested after porting ocserv/openconnect, but I'm not using
> it in production. You should be able to connect to ocserv using either the
> openconnect client or cisco anyconnect client.
>
>> If there is something else that can use radius, i would like to know?
>
> at least these:
>
> - npppd (yeuch l2tp :)
>
> - openvpn (there's a username/pw auth method using a helper script,
> you can write something calling a radius client to check auth, also
> yeuch openvpn :)
>
> I did once see some code including radius support for iked but it
> was tied up with a bunch of other changes and looked a bit complex
> to separate. I don't recall whether it was just username/pw or if
> it did full EAP.
>
>

Tnx for information. It would be great to have radius support for iked
so students could use eduroam username/pass for vpn ...