Weblog entry #8 for lters
See all weblog entries made by lters.
#8
Current Road Warrior Vpn Solutions
Posted by lters on Wed 6 Jun 2007 at 18:14
Doing a new review of all the different road warrior vpn solutions.
And looking for a solution that works well with Windows, and Linux as clients, what solutions work best for you?
Some of the ones I have considered are:
Openvpn
Pptp
Ipsec
One of the things I need is better control of the client from the server configuration like blocking local network access, radius support to control the ip pool or the ip address as well as auditing of logins.
Ideally the server software runs on Debian and access is controlled via iptables.
I am leaning toward trying to learn Openvpn. It seems to have a good variety of clients, a better encrypted stack than pptp etc.
What works best for and why have you chosen it?
And looking for a solution that works well with Windows, and Linux as clients, what solutions work best for you?
Some of the ones I have considered are:
Openvpn
Pptp
Ipsec
One of the things I need is better control of the client from the server configuration like blocking local network access, radius support to control the ip pool or the ip address as well as auditing of logins.
Ideally the server software runs on Debian and access is controlled via iptables.
I am leaning toward trying to learn Openvpn. It seems to have a good variety of clients, a better encrypted stack than pptp etc.
What works best for and why have you chosen it?
Comments on this Entry
I commend OpenVPN to you. We've been using it for years and find it very satisfactory.
o Admin is light: for a new user I cut a new certificate with a password. I give the user this and a configuration file and get the user to set-up their own client. To terminate an account I just revoke the certificate.
o The _only_ thing that occasionally trips users up is their personal firewall.
o Activity is logged.
o I can push the client's IP, routes, gateway, etc.
o I trust the security of the implementation.
o It's very stable.
Our configuration is of the bridged Ethernet form. Set-up was straight forward, following the documentation. The only thing that gave me memorable grief was the UDP maximum frame size. I had to keep tuning this down until the user complaints stopped. UDP doesn't traverse the Pond as reliably as you might expect...
Give it a go!
Steve.
o Admin is light: for a new user I cut a new certificate with a password. I give the user this and a configuration file and get the user to set-up their own client. To terminate an account I just revoke the certificate.
o The _only_ thing that occasionally trips users up is their personal firewall.
o Activity is logged.
o I can push the client's IP, routes, gateway, etc.
o I trust the security of the implementation.
o It's very stable.
Our configuration is of the bridged Ethernet form. Set-up was straight forward, following the documentation. The only thing that gave me memorable grief was the UDP maximum frame size. I had to keep tuning this down until the user complaints stopped. UDP doesn't traverse the Pond as reliably as you might expect...
Give it a go!
Steve.
[ Parent | Reply to this comment ]
Steve:
I prefer use ipsec/klips instead of openvpn. It's true, openvpn offers easy administration on the server and an easy installation, configuration of the windows clients.
Because of ipsec/klips is a kernel space tool have a better performance than openvpn (a userspace tool).
With openvpn you can avoid the problem of carefully assign the address space for the internal networks -this requires a good planning with ipsec/klips.
Jorge.
I prefer use ipsec/klips instead of openvpn. It's true, openvpn offers easy administration on the server and an easy installation, configuration of the windows clients.
Because of ipsec/klips is a kernel space tool have a better performance than openvpn (a userspace tool).
With openvpn you can avoid the problem of carefully assign the address space for the internal networks -this requires a good planning with ipsec/klips.
Jorge.
[ Parent | Reply to this comment ]