Best VPN solution for mobile clients?

[kclark]

I've found a few different VPN solutions for FreeBSD. This might not be a "simple" question, but does anyone have any suggestions on what setups work best with mobile clients, iOS and Android?

Thanks,
Kris

 

[junovitch@]

Personally I just have OpenVPN on my laptop and cell phone because it works, I'm comfortable with it, and it's in the app store and easy to set up. I think an IPSEC setup might be your only option on devices that don't have much in the way of add on VPN apps.

 

[kpa]

Both Android and iOS seem to have an OpenVPN client available so that would be my preference because the server setup with OpenVPN is so simple compared to the other options.

https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8

https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en

 

[elpek]

You could also use security/ipsec-tools / security/racoon2 - iOS devices support CISCO IPSec VPN natively as for Android I'm not sure, but there is probably an app for that. There is also security/strongswan which might be easier to set up for some but is not near as reliable as racoon (at least it was not for me).

 

[Oko]

Oh this is the easy one. For iOS and Android the best solution is L2PT via IPSec which is included in the base. Setting a gateway is 5 minute job on OpenBSD
http://undeadly.org/cgi?action=article&sid=20120427125048
I have done it several times. Notice that article needs an update. On FreeBSD not so easy. Lack of IPSec is just show stopper not to mention lack of npppd daemon (Strongswan is just not something which I would use)

 

[protocelt]

On FreeBSD not so easy. Lack of IPSec.

Huh? ipsec(4)

 

[Oko]

Huh? ipsec(4)

You are kidding? Right?
http://www.openiked.org/

 

[alex.md]

You can try net/ocserv.

 

[Oko]

You can try net/ocserv.

That thing is just an implementation of Cisco AnyConnect protocol. Cisco in turn uses an ancient version of OpenSSL to "encrypt" the traffic. Typically AnyConnect server can be commonly found at the organizations which are poorly staffed because the turn key appliance can be bought fairly inexpensively (couple thousands dollars). I would not use AnyConnect for anything that requires serious security. Beyond the point the client for AnyConnect server is anything but commonly found even for "normal" OSs let alone for hand held devices. Hand held devices typically come only with L2PT/IPsec clients. You can check your smart phone, Kindel or whatever you have if you don't trust me. That is why I suggested L2PT/IPsec. Configuring L2PT/IPsec server is trivial on OpenBSD but next to impossible on FreeBSD due to the lack of native IPSec client and npppd daemon. The easiest VPN solution is OpenVPN server but installing and using OpenVPN client on hand held devices is no something my grand mother or for that mater most of users are capable of doing.

 

[jarek6]

I'm curious - is also latest AnyConnect version 3.x or 4.x is using ancient OpenSSL ? Do you have information which OpenSSL version they're using ?

 

[alex.md]

That thing is just an implementation of Cisco AnyConnect protocol. Cisco in turn uses an ancient version of OpenSSL to "encrypt" the traffic. Typically AnyConnect server can be commonly found at the organizations which are poorly staffed because the turn key appliance can be bought fairly inexpensively (couple thousands dollars). I would not use AnyConnect for anything that requires serious security. Beyond the point the client for AnyConnect server is anything but commonly found even for "normal" OSs let alone for hand held devices.

OCServ allows you to change cipher suites. http://gnutls.org/manual/html_node/Priority-Strings.html
Also anyconnect client shows you what cipher suite is being used for specific connected tunnel.

Hand held devices typically come only with L2PT/IPsec clients. You can check your smart phone, Kindel or whatever you have if you don't trust me. That is why I suggested L2PT/IPsec. Configuring L2PT/IPsec server is trivial on OpenBSD but next to impossible on FreeBSD due to the lack of native IPSec client and npppd daemon..

What if I want to push several routes to a VPN client ? If I am not mistaken L2TP just adds a classful route and there is no way to add another routes automatically. If this needs to be done on a smartphone or a tablet, it becomes a hard quest for a simple user.

Regarding L2TP/IPSEC, you need to patch kernel and racoon sources to get it working (did not test it yet using strongswan), but if 2 devices will attempt to connect to the same router behind one NAT, that will destroy work for both user. Plus SAs sometimes are not deleted automatically so you are not able reconnect immediately.

I would go with a SSL-based VPN solution.

 

[obsigna]

...
What if I want to push several routes to a VPN client ? If I am not mistaken L2TP just adds a classful route and there is no way to add another routes automatically. If this needs to be done on a smartphone or a tablet, it becomes a hard quest for a simple user. ...

Only my curiosity, for what would I need several routes on my smartphone? I set up L2TP/IPsec on my FreeBSD home server and when on travel I usually connect to the internet via VPN and let all the traffic goe over the VPN. So, why would I need some VPN traffic going another route and which route might this be? Sorry for the lack of my imagination.

... Regarding L2TP/IPSEC, you need to patch kernel and racoon sources to get it working (did not test it yet using strongswan), but if 2 devices will attempt to connect to the same router behind one NAT, that will destroy work for both user. Plus SAs sometimes are not deleted automatically so you are not able reconnect immediately. ...

For Windows L2TP/IPsec connectivity with StrongSwan, a single kernel patch is needed, after this it works well. I can concurrently connect several clients, namely Mac OS X and iOS and ONE Windows, from behind the same NAT to the L2TP/IPsec server (net/mpd5 + security/strongswan). I got only one Windows client, and therefore I could not test my system with several Windows clients, however some I have some doubts that this would work, because the built-in Windows client does not change NAT-T traffic from 4500 to an ephemeral port, Mac OS X and iOS do.

Anyway, I wrote a BLog post about my installation, it is in German language, however, using an online translator, it should be possible to grep the basics, e.g. said patch file and the relevant settings. http://blog.obsigna.net/?p=520

Without patching the kernel, I managed to connect Windows via IKEv2-IPsec to my home server running StrongSwan.

 

[Oko]

Regarding L2TP/IPSEC, you need to patch kernel and racoon sources to get it working

I don't need to patch anything. I use OpenBSD and configuring L2PT/IPsec is a 5 minutes thing

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjUg6OUh5jKAhVHwj4KHWm_ALoQFggfMAA&url=http://undeadly.org/cgi?action=article&sid=20120427125048&usg=AFQjCNG3TTUG5-xqrJJM2Me28eipWVRAsg

and nowadays even easier

http://frankgroeneveld.nl/2015/08/16/configuring-l2tp-over-ipsec-on-openbsd-for-mac-os-x-clients/

I just don't get why in the world FreeBSD people prefer Strongswan over OpenIKED

 

[obsigna]

... I just don't get why in the world FreeBSD people prefer Strongswan over OpenIKED

1. OpenIKED is not in the Ports, strongSwan is
2. OpenIKED does IKEv2 only, strongSwan does IKEv1 and IKEv2,
   the built-in L2TP/IPsec clients that I know of, require IKEv1 in transport mode,
   and OpenIKED cannot be used for that.
   
3. the IKEv1 daemon of OpenBSD is in the FreeBSD ports but the version seems
   to be from 2004. The most recent strongSwan was updated in
   December 2015.

I just don't get why you are suggesting to replace strongSwan that together with mpd5 works perfectly for L2TP/IPsec on FreeBSD by something that is neither readily available on FreeBSD nor could be used for the purpose, if it were.

 

[Oko]

1. OpenIKED does IKEv2 only, strongSwan does IKEv1 and IKEv2,
   the built-in L2TP/IPsec clients that I know of, require IKEv1 in transport mode,
   and OpenIKED cannot be used for that.

Unless my wife is putting something funny into my meals to make me hallucinate I am pretty sure that at this very moment I have over 50 L2PT/IPsec clients on several network I manage connected via OpenBSD gateway running OpenIKED and npppd.

 

[obsigna]

From the link that you posted:

OpenIKED is a FREE implementation of the Internet Key Exchange (IKEv2) protocol which performs mutual authentication and which establishes and maintains IPsec VPN security policies and associations (SAs) between peers. The IKEv2 protocol is defined in RFC 5996, which combines and updates the previous standards: ISAKMP/Oakley (RFC 2408), IKE (RFC 2409), and the Internet DOI (RFC 2407). OpenIKED only supports the IKEv2 protocol; support for ISAKMP/Oakley and IKEv1 is provided by OpenBSD's isakmpd(8) or other implementations on non-OpenBSD platforms.

The other link to the blog post of Frank Groeneveld describes utilization of isakmpd(8) together with npppd. So, chances are that your servers are running isakmpd, and the installation time of less than 5 minutes was too short, to let you remember the name of all the utilized tools.

 

[alex.md]

Only my curiosity, for what would I need several routes on my smartphone? I set up L2TP/IPsec on my FreeBSD home server and when on travel I usually connect to the internet via VPN and let all the traffic goe over the VPN. So, why would I need some VPN traffic going another route and which route might this be? Sorry for the lack of my imagination.

That is a good point for personal usage. If we are talking about business, usually VPN clients do not have access to internet over VPN. They only need to have access to appropriate resources. Regarding several routes. Lets say I need access to:
1. Server mgmt vlan
2. Voice vlan
3. Remote access vlan (access to your PC or terminal server)

Each vlan is a separate subnet. How do I suppose to have 3 routes with L2TP ? Adding static routes on a smartphone is a real pain in the ass.

For Windows L2TP/IPsec connectivity with StrongSwan, a single kernel patch is needed, after this it works well. I can concurrently connect several clients, namely Mac OS X and iOS and ONE Windows, from behind the same NAT to the L2TP/IPsec server (net/mpd5 + security/strongswan). I got only one Windows client, and therefore I could not test my system with several Windows clients, however some I have some doubts that this would work, because the built-in Windows client does not change NAT-T traffic from 4500 to an ephemeral port, Mac OS X and iOS do.
Without patching the kernel, I managed to connect Windows via IKEv2-IPsec to my home server running StrongSwan.

Thank you for sharing info about net/mpd5 + security/strongswan. I totally agree with you. There is no point of using racoon, Strongswan is much better.
IKEv2 is also a good option, however Windows has a few problems with it:
1. You need to add static routes, since windows (tested on win 7) does not care about traffic selector (encryption domain).
2. Tiny SA idle timeout (5 minutes).

I don't need to patch anything. I use OpenBSD and configuring L2PT/IPsec is a 5 minutes thing.
I just don't get why in the world FreeBSD people prefer Strongswan over OpenIKED

Sorry, but I am not planning to move to another OS.
Strongswan is an active project plus it supports multiple operating systems. So you do not need to be attached to a single OS.

 

[obsigna]

That is a good point for personal usage. If we are talking about business, usually VPN clients do not have access to internet over VPN. They only need to have access to appropriate resources. Regarding several routes. Lets say I need access to:
1. Server mgmt vlan
2. Voice vlan
3. Remote access vlan (access to your PC or terminal server)

Each vlan is a separate subnet. How do I suppose to have 3 routes with L2TP ? Adding static routes on a smartphone is a real pain in the ass.

I saw several company installations, forcing ALL traffic of the mobile clients of the employees going via VPN, and by this way passing the company's DPI firewalls in and out. All routing is done server-side in these cases, and the employees even don't have a choice for setting other routes on the devices provided by the company.

From the company's point of view, this is the most clean solution. The one or the other employee might find this too restrictive. However, given the thread of traffic interception in public WLANs, the bad habit of ISPs and others to manipulate DNS, and the added comfort of having a server-side DNS based ad-blocker, I personally don't want my mobile devices anymore to go directly into the internet. I enabled proxy-arp of net/mpd5, and all L2TP/IPsec clients do have access to any resource in the local network of my FreeBSD home server. I was not able to do this with IKEv2-VPN with Windows 7, so I prefer L2TP/IPsec over IKEv2 for this reason.