Suppose I have a network device (not a PC, but it talks TCP/IP - eg a printer, although in this case it'll be some industrial hardware), and I want to install it on a customer's site in such a way that I want to be able to securely access it remotely with minimal changes at the customer's site.
One option is to have a little black box which makes an outbound connection through the site's Internet connection to connect to a VPN, and in doing so providing access to the network device.
Any suggestions for that little black box, and for how to configure it?
I am assuming of-course that the little black box will be Linux based.
I have seen some industrial solutions which (I think) allow both the client (some block in an office at his PC) and the device to set up a small peer-to-peer secure network using a third party mediation server to allow the connections to establish (similar to the ways that stuff like Skype, Hamachi, etc work). However they're very expensive (typically £500+ at each end) and I'd rather have something I have more control over anyway. (If that means running my own mediation server that's not necessarily a problem.)
However, there may be simpler options: the black box connects to the office's PPTP VPN, and creates a local NAT'ed subnet with port forwarding through the NAT router to allow device access, etc. (If it sounds like I'm waffling it's because I don't really know what I'm talking about :-)
Mark Rogers wrote:
Suppose I have a network device (not a PC, but it talks TCP/IP - eg a printer, although in this case it'll be some industrial hardware), and I want to install it on a customer's site in such a way that I want to be able to securely access it remotely with minimal changes at the customer's site.
One option is to have a little black box which makes an outbound connection through the site's Internet connection to connect to a VPN, and in doing so providing access to the network device.
Any suggestions for that little black box, and for how to configure it?
I am assuming of-course that the little black box will be Linux based.
I have seen some industrial solutions which (I think) allow both the client (some block in an office at his PC) and the device to set up a small peer-to-peer secure network using a third party mediation server to allow the connections to establish (similar to the ways that stuff like Skype, Hamachi, etc work). However they're very expensive (typically £500+ at each end) and I'd rather have something I have more control over anyway. (If that means running my own mediation server that's not necessarily a problem.)
However, there may be simpler options: the black box connects to the office's PPTP VPN, and creates a local NAT'ed subnet with port forwarding through the NAT router to allow device access, etc. (If it sounds like I'm waffling it's because I don't really know what I'm talking about :-)
This might do it, although it seems to have far too much functionality: http://www.ebox-platform.com
It supports OpenVPN, which will do all you want and more.
Cheers, Laurie.
On 24/06/10 13:31, Laurie Brown wrote:
This might do it, although it seems to have far too much functionality: http://www.ebox-platform.com
It supports OpenVPN, which will do all you want and more.
Looks useful to play with for other things, thanks, even if OTT for this.
I was thinking about some of the embedded Linux devices, Tonido Plug, Guru Server, etc, although I'm not sure they'll do what I need (or if they will, then how to do it).
This might do it, although it seems to have far too much functionality:
It supports OpenVPN, which will do all you want and more.
Looks useful to play with for other things, thanks, even if OTT for this.
I was thinking about some of the embedded Linux devices, Tonido Plug, Guru Server, etc, although I'm not sure they'll do what I need (or if they will, then how to do it).
Mark - do you mean that OpenVPN is over the top, or ebox-platofrm? If you're happy with OpenVPN, then maybe just install Ubuntu on a Sheevaplug? Actually, looking at Tonido Plug I can see that the hardware is a Sheevaplug.
Richard
Mark Rogers wrote:
On 24/06/10 13:31, Laurie Brown wrote:
This might do it, although it seems to have far too much functionality: http://www.ebox-platform.com
It supports OpenVPN, which will do all you want and more.
Looks useful to play with for other things, thanks, even if OTT for this.
I thought that...
I was thinking about some of the embedded Linux devices, Tonido Plug, Guru Server, etc, although I'm not sure they'll do what I need (or if they will, then how to do it).
Well, MiniITX is a good area to look for tiny boxes (a fanless box the size of a paperback, with Solid State drives, for instance), and maybe this installed: http://www.pfsense.com
It doesn't support OpenVPN (but apparently will when V2 comes out "some time this year", it uses IPSEC only right now.
There's a company selling MiniITX stuff here in Suffolk. I've used them, and they're very good. The site http://www.mini-itx.com is a good source for seeing what's out there and what's coming up, and the (Linux-friendly) local guys can be found at http://linitx.com. They even sell boxes that look as if they might do what you want (http://linitx.com/viewcategory.php?catid=79). They do assume, though, that you know what you want, which is where the first site comes in, if you're a noob in MiniITX.
Cheers, Laurie.
On 24/06/10 15:31, Laurie Brown wrote:
It doesn't support OpenVPN (but apparently will when V2 comes out "some time this year", it uses IPSEC only right now.
Are there any good open-source peer-to-peer VPN solutions? A quick Google got me stuff like Wippien, n2n, p2pvpn, etc, but I have no experience of any of them to know if they're any good.
If I am to use a "normal" VPN, then it will likely need to be Microsoft's PPTP, as the office already has this.
the (Linux-friendly) local guys can be found athttp://linitx.com.
Indeed, have used LinITX before, and they are very helpful.
Ideally I'm looking for something smaller though, like the PogoPlug or TonidoPlug, which I (perhaps wrongly) perceive as being simpler bits of kit with less to go wrong. But I have no idea whether they'll do what I want!
Mark Rogers wrote:
On 24/06/10 15:31, Laurie Brown wrote:
It doesn't support OpenVPN (but apparently will when V2 comes out "some time this year", it uses IPSEC only right now.
Are there any good open-source peer-to-peer VPN solutions? A quick Google got me stuff like Wippien, n2n, p2pvpn, etc, but I have no experience of any of them to know if they're any good.
Laurie Brown wrote about two of the best: OpenVPN and IPSEC (using the native Linux IPsec stack, or the Openswan KLIPS stack?).
If I am to use a "normal" VPN, then it will likely need to be Microsoft's PPTP, as the office already has this.
Serious security vulnerabilities have been found in PPTP if it uses MSCHAP-v1, MSCHAP-v2 and/or MPPE (which most installations do). Is EAP-TLS still secure? How many people use it?
Hope that helps,
MJ Ray wrote:
Mark Rogers wrote:
On 24/06/10 15:31, Laurie Brown wrote:
It doesn't support OpenVPN (but apparently will when V2 comes out "some time this year", it uses IPSEC only right now.
Are there any good open-source peer-to-peer VPN solutions? A quick Google got me stuff like Wippien, n2n, p2pvpn, etc, but I have no experience of any of them to know if they're any good.
Laurie Brown wrote about two of the best: OpenVPN and IPSEC (using the native Linux IPsec stack, or the Openswan KLIPS stack?).
As you prolly know, OpenVPN doesn't support IPSEC, it uses SSL certificates; making a much better, more secure VPN.
It works seamlessly with Shorewall.
Cheers, Laurie.
I may have missed the point here but is what you're after is a Guru Plug (or similar) running Linux, with Open Swan/OpenVPN and Snort to be a small IPS/IPD/VPN device...As for remote support...SSH?
On 24/06/10 18:00, MJ Ray wrote:
Laurie Brown wrote about two of the best: OpenVPN and IPSEC (using the native Linux IPsec stack, or the Openswan KLIPS stack?).
Ah, I didn't know that OpenVPN & IPSEC could be used in peer-to-peer configurations. I'll go hunting again.
Serious security vulnerabilities have been found in PPTP if it uses MSCHAP-v1, MSCHAP-v2 and/or MPPE (which most installations do). Is EAP-TLS still secure? How many people use it?
I'd happily ditch PPTP altogether but the site I have to make this work with will keep PPTP for their own use, so having my box connect to it is no less secure (and possible more secure) than running parallel VPN solutions.
I'd love to see PPTP disappear, for sure. But then I'd love to see Windows-centric environments disappear so it's hardly a surprise.
On 24/06/10 18:00, MJ Ray wrote:
Laurie Brown wrote about two of the best: OpenVPN and IPSEC (using the native Linux IPsec stack, or the Openswan KLIPS stack?).
Ah, I didn't know that OpenVPN & IPSEC could be used in peer-to-peer configurations. I'll go hunting again.
Serious security vulnerabilities have been found in PPTP if it uses MSCHAP-v1, MSCHAP-v2 and/or MPPE (which most installations do). Is EAP-TLS still secure? How many people use it?
I'd happily ditch PPTP altogether but the site I have to make this work with will keep PPTP for their own use, so having my box connect to it is no less secure (and possible more secure) than running parallel VPN solutions.
I'd love to see PPTP disappear, for sure. But then I'd love to see Windows-centric environments disappear so it's hardly a surprise.
Mark Rogers wrote:
On 24/06/10 18:00, MJ Ray wrote:
Laurie Brown wrote about two of the best: OpenVPN and IPSEC (using the native Linux IPsec stack, or the Openswan KLIPS stack?).
Ah, I didn't know that OpenVPN & IPSEC could be used in peer-to-peer configurations. I'll go hunting again.
Recently, when I asked one of my (predominantly Windoze) clients what was the best piece of OS software we'd put in for them, he unhesitatingly replied "OpenVPN".
Once you get the OpenVPN tunnel sorted, connecting via the GUI is trivial.
There was a good guide posted on this very group not long ago: http://hinterlands.org/wiki/index.php/OpenVPNQuickstart courtesy of Martin Brooks, which will help you get a flavour.
We just set up a 3-site OpenVPN tunnelled network, with road warriors to two sites via the GUI, all via shorewall. Plan it right, and it just works...
Cheers, Laurie.
On 24 Jun 18:00, MJ Ray wrote:
Mark Rogers wrote:
On 24/06/10 15:31, Laurie Brown wrote:
It doesn't support OpenVPN (but apparently will when V2 comes out "some time this year", it uses IPSEC only right now.
Are there any good open-source peer-to-peer VPN solutions? A quick Google got me stuff like Wippien, n2n, p2pvpn, etc, but I have no experience of any of them to know if they're any good.
Laurie Brown wrote about two of the best: OpenVPN and IPSEC (using the native Linux IPsec stack, or the Openswan KLIPS stack?).
Personally I'm currently using tinc, which is simple to setup between linux boxes, not yet had the misfortune of needing to connect via a windows box, though, but I believe that there is a client. It's basically just ssl based, sits out the way, and does nice autoreconnection foo. It binds to a tun/tap interface, which is nice... so I use it in a potentially slightly odd way, I deliberately set the mac address manually on tun/tap interface on the machines, and on the "server" there's an radvd instance bound to that ends tun/tap interface, I then get static ipv6 addresses for anything that connects to the server, and can route to those globally from any other ipv6 enabled place. It might be a bit of an abuse of some v6 space, but it ain't half handy, and does mean that whereever me and my laptop travel, I've generally got ipv6 connectivity.
(Next step - giving the phone an ipv6 address when it's got wireless up automagically, and making it so that I can bring up the ipv6 manually at other times - should just involve installing tinc on the n900 and writting a small app to sit in the status bar for turning on/off the vpn :)
Cheers,
On 25/06/10 09:56, Brett Parker wrote:
Personally I'm currently using tinc, which is simple to setup between linux boxes, not yet had the misfortune of needing to connect via a windows box, though, but I believe that there is a client.
For no particular reason, I just started looking at tinc to see if I can understand how to use it for what I need.
Suppose I have computers A & B with tinc installed. Computer A is in office A connected to the Internet through a NAT router. Computer B is similarly connected in office B. (There is no direct path between them.)
What steps do I need to go through to get A and B to talk to each other via tinc? Can I do it without port forwarding in either router, eg by having server C sat on the Internet somewhere accessible to both? (And if I can, would all traffic between A and B therefore go via C?)
(I'm getting myself into a bit of a muddle trying to work out exactly what I'm trying to achieve here!)
On 25 Jun 11:10, Mark Rogers wrote:
On 25/06/10 09:56, Brett Parker wrote:
Personally I'm currently using tinc, which is simple to setup between linux boxes, not yet had the misfortune of needing to connect via a windows box, though, but I believe that there is a client.
For no particular reason, I just started looking at tinc to see if I can understand how to use it for what I need.
Suppose I have computers A & B with tinc installed. Computer A is in office A connected to the Internet through a NAT router. Computer B is similarly connected in office B. (There is no direct path between them.)
What steps do I need to go through to get A and B to talk to each other via tinc? Can I do it without port forwarding in either router, eg by having server C sat on the Internet somewhere accessible to both? (And if I can, would all traffic between A and B therefore go via C?)
(I'm getting myself into a bit of a muddle trying to work out exactly what I'm trying to achieve here!)
I'd be using server C and connecting A and B to that, yes, traffic would then flow from A to B via C, but that's not neccessarily a bad thing, and is the element of least suprise.
There's also n2n available to directly connect the 2 ends, that relies on one "super node" that gets a connection from both and then gets the 2 to talk at each other instead. That may well be a better option.
On 25/06/10 11:36, Brett Parker wrote:
There's also n2n available to directly connect the 2 ends, that relies on one "super node" that gets a connection from both and then gets the 2 to talk at each other instead. That may well be a better option.
I'd looked at (but not tried) n2n previously, so I just gave it a quick run.
It's trivial to setup, but my test VPN didn't work (I had one Linux client and one Windows client to try to connect to the VPN, which was all I had to hand; I need to try again with just Linux clients I think.
Mark Rogers wrote:
On 24/06/10 15:31, Laurie Brown wrote:
It doesn't support OpenVPN (but apparently will when V2 comes out "some time this year", it uses IPSEC only right now.
Are there any good open-source peer-to-peer VPN solutions? A quick Google got me stuff like Wippien, n2n, p2pvpn, etc, but I have no experience of any of them to know if they're any good.
For me, it's hard to beat Shorewall and OpenVPN working together... Easy to set-up and manage, and the OpenVPN GUI for Windoze users is simply superb.
You could look at http://www.vyatta.com (but I didn't like it). I can't remember why we stopped trialling it, but IMO shorewall/OpenVPN is hard to beat.
If I am to use a "normal" VPN, then it will likely need to be Microsoft's PPTP, as the office already has this.
That's not really a VPN, it's a half-arsed implementation...
Cheers, Laurie.
-
Brett Parker -
James Bensley -
Laurie Brown -
Mark Rogers -
Mark Rogers -
MJ Ray -
Richard Parsons