Always on VPN

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
http://www.ntop.org/products/n2n/
http://code.google.com/p/sigmavpn/ (based on n2n)
http://vtun.sourceforge.net/
IPsec based (included in pretty much any distro)
https://code.google.com/p/socialvpn/
http://www.softether.org/ - This looks interesting

Played around with n2n a long time ago, only supports bridging networks... vtun(d) works fine on slow hw (routers etc) but you can't configure clients on the other end in such a way you do with OpenVPN.
Any issues you're experiencing with OpenVPN?
//Danne
 
Last edited:

MysticRyuujin

Limp Gawd
Joined
Oct 1, 2013
Messages
507
I agree, more info needed. OS and hardware.

You could try Microsoft DirectAccess if you're in a domain / Windows server environment.

I also setup always on VPN connections using the Cisco VPN Client to an ASA or Firewall...you just have to edit the VPN Client's config to include the username/password and set it to auto connect.
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
Between routers or a computer and endpoint or what? OS? Need more info.

I agree, more info needed. OS and hardware.

You could try Microsoft DirectAccess if you're in a domain / Windows server environment.

I also setup always on VPN connections using the Cisco VPN Client to an ASA or Firewall...you just have to edit the VPN Client's config to include the username/password and set it to auto connect.


Client to router. Clients are windows based. All clients will not be on my domain, but could be in a workgroup or other domains outside of my control

Before switching over to pfsense we ran an ASA5505 and I setup vpn using the VPN client, but it wasnt always on. It required user intervention on bootup every time.

Always on, on bootup, and stable are the most important things here. Those describe OpenVPN to a T! But I need more options.
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
http://www.ntop.org/products/n2n/
http://code.google.com/p/sigmavpn/ (based on n2n)
http://vtun.sourceforge.net/
IPsec based (included in pretty much any distro)
https://code.google.com/p/socialvpn/
http://www.softether.org/ - This looks interesting

Played around with n2n a long time ago, only supports bridging networks... vtun(d) works fine on slow hw (routers etc) but you can't configure clients on the other end in such a way you do with OpenVPN.
Any issues you're experiencing with OpenVPN?
//Danne

Thanks I'll check into some of these but I bet I'm going to run into the same problem when I present these. No problems ever with OpenVPN. Love it. But I guess the word "Open" scares uneducated people.
 

tangoseal

[H]F Junkie
Joined
Dec 18, 2010
Messages
9,326
Cisco 1921 or 800 series. ASA 5505's... Cisco VPN Client .... you get it.

Log Me In Hamachi for a free and stable always on VPN.
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
Cisco 1921 or 800 series. ASA 5505's... Cisco VPN Client .... you get it.

Log Me In Hamachi for a free and stable always on VPN.

Correct me if I'm wrong, but the Cisco VPN client requires a user to launch the client and manually connect? Or can this be run as a service?
 

Grentz

Fully [H]
Joined
May 5, 2006
Messages
17,198
That sounds like a weird requirement. Either have them login to the VPN when they bootup, its not that hard and takes about 10sec with any good client, or setup a VPN concentrator on their end if there are multiple machines.
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
That sounds like a weird requirement. Either have them login to the VPN when they bootup, its not that hard and takes about 10sec with any good client, or setup a VPN concentrator on their end if there are multiple machines.

Its not a weird requirement when you consider that these machines rarely have people log into them. So theyll never be connected if a manual process is required. This is why I need the vpn to be always on like OpenVPN.
 

Grentz

Fully [H]
Joined
May 5, 2006
Messages
17,198
Its not a weird requirement when you consider that these machines rarely have people log into them. So theyll never be connected if a manual process is required. This is why I need the vpn to be always on like OpenVPN.

Ahh you didnt mention that. That actually makes it even more difficult as you potentially want VPN connected before the interactive user session is logged in. (essentially a system service)

If you could drop a VPN appliance on the network that these machines are on, that would definitely be the more straightforward/reliable way about it.
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
Ahh you didnt mention that. That actually makes it even more difficult as you potentially want VPN connected before the interactive user session is logged in. (essentially a system service)

If you could drop a VPN appliance on the network that these machines are on, that would definitely be the more straightforward/reliable way about it.

Interesting a VPN appliance could be a possibility. I'm trying to think in my head how a remote appliance with the machines would work. Would this be done via multiple gateways on the remote clients?
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
Correct me if I'm wrong, but the Cisco VPN client requires a user to launch the client and manually connect? Or can this be run as a service?

AnyConnect has a start before login application.
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
IPsec will do fine and is what many commercial softwares uses but keep in mind that it doesn't play nice with NAT.
//Danne
 

MysticRyuujin

Limp Gawd
Joined
Oct 1, 2013
Messages
507
Client to router. Clients are windows based. All clients will not be on my domain, but could be in a workgroup or other domains outside of my control

Before switching over to pfsense we ran an ASA5505 and I setup vpn using the VPN client, but it wasnt always on. It required user intervention on bootup every time.

Always on, on bootup, and stable are the most important things here. Those describe OpenVPN to a T! But I need more options.

The Cisco VPN client does not require user intervention if you set it up. As I said before, you can manually edit the actual VPN profile and set it to automatically connect without user interaction.

Put the VPN client into the startup folder so it starts when they log in, the VPN profile can be configured to continually attempt a connection to the ASA and use stored credentials inside the VPN profile.

This is NOT a default behavior or something you just click. You'll have to actually create the VPN Profile using a text editor.

This can get you started, but Google is your friend:
http://tomishappy.blogspot.jp/2010/11/auto-reconnecting-cisco-vpn-client.html

I think that when I did it I had to change the permissions on the VPN Profile so that the system could not write to it because the Cisco VPN Client would actually erase the saved password in the file but that was fixed by simply editing the permissions on the file so that it couldn't be over-written.
 
Last edited:

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
AnyConnect has a start before login application.

This is exactly what I needed to know. Thanks. Even "logging in" is still user intervention.

These machines need to connect after simply pressing the power button and nothing else.

I'll be the first to admit that this is beyond f'n stupid. But this is the word we live in where uneducated people make these types of decisions. IPSec isnt any more/less secure than OpenVPN. They like the word Cisco, even though Cisco is just utilizing IPSec. Funny thing though is our pfsense can already do IPsec. Maybe I should just slap a Cisco sticker on it.
 
Last edited:

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
Well, I'm very sure that you wouldn't want software from 2006... ;-)
//Danne
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
fwiw, Junos Pulse (Juniper SSL client) also supports this as far as I can tell...
//Danne
 

cytech

Limp Gawd
Joined
Nov 20, 2007
Messages
284
Juniper MAG gateway with Pulse is probably one of the most powerful/flexible ssl-vpn solutions available,
not cheap though.
 
D

Deleted member 12106

Guest
You can set ovpn to run as service so no user interaction is needed.
 

Grentz

Fully [H]
Joined
May 5, 2006
Messages
17,198
Interesting a VPN appliance could be a possibility. I'm trying to think in my head how a remote appliance with the machines would work. Would this be done via multiple gateways on the remote clients?

It depends on how your networks are configured. If you do not have overlapping subnets, it would be easy enough to direct traffic through the VPN.

I cannot tell how much control / influence you have over the remote network though.
 

HDClown

Limp Gawd
Joined
Nov 30, 2004
Messages
222
Another recommendation here for Juniper. A MAG2600 with 10 concurrent users would run about $2k for the hardware/license, worst case. Can do it even cheaper depending on discount offered. Support/Maintenance w/NBD hardware replacement for about $300. Note that this is a dedicated SSL VPN platform. Very powerful, very easy to use, and leading product in this area.

Also, may want to check our Pertino It's along the concept of Hamachi (hosted VPN) but it does't utilize a 3rd party network to make connections like Hamachi does. The cloud network is only used to manage/provision the clients. They have becoming popular lately in the SMB world.
 
Top