vpn

Cisco VPN server alternative

/ Konkretor / Leave a comment

You are tired from openvpn performance issues. You want to use more opensource software? You wan to replace your Cisco ASA but don’t want to give up annyconnect VPN client software?
You want a reliable VPN server for your business? I found a solution for your requirements.

OpenConnect VPN Server called OCSERV

https://ocserv.gitlab.io/www/

You can use the AnnyConnect client to dial in to OCSERV VPN server or openconnect VPN client.

On Debian/Ubuntu
apt install ocserv

You have installed the VPN Server but in Enterprise enviroments that is not enough for security. You want to use this for hundred or thousand of employees.

I want to show you my configuration of OCSERV and RADIUS integration with Privacyidea a two factor opensource solution.

If you want to use OCSERV with RADIUS please read this first

https://ocserv.gitlab.io/www/recipes-ocserv-authentication-radius-radcli.html

You have to compile radcli from source first without this you have no RADIUS functionality.

Look at https://github.com/radcli/radcli/releases for the latest version

How to compile
https://ocserv.gitlab.io/www/recipes-ocserv-radcli-installation.html

Fill the information for your radius server under

/etc/radcli/radiusclient.conf


nas-identifier fw01
authserver 10.10.10.50
acctserver 10.10.10.50
servers /etc/radcli/servers
dictionary /etc/radcli/dictionary
default_realm
radius_timeout 10
radius_retries 3
bindaddr *

cat /etc/radcli/servers

# Server Name or Client/Server pair            Key             
## ----------------                             ---------------
#
#portmaster.elemental.net                       hardlyasecret
#portmaster2.elemental.net                      donttellanyone
#
## uncomment the following line for simple testing of radlogin
## with freeradius-server
#
#localhost/localhost                            testing123
#
10.10.110.60 yourradiussecrectkey

After you have compile radcli on the system you can choose to install ocserv from the distribution repository or to compile it from source. I have use the repository from the distribution.

add following to the

ocserv.conf


auth = “radius[config=/etc/radcli/radiusclient.conf,groupconfig=true]”

Fixing some errors…

custom-header = “X-CSTP-Client-Bypass-Protocol: true”

Add your own certificate for your domain

server-cert =
server-key =

VPN Pool

ipv4-network = 10.10.100.128
ipv4-netmask = 255.255.255.128

Add route to network that you want to reach form the vpn server

route=

VPN PPTP Alternative

/ Konkretor / Leave a comment

PPTP gilt seit kurzem als unsicher. Siehe auch hier http://www.heise.de/security/artikel/Der-Todesstoss-fuer-PPTP-1701365.html

Ab Windows Vista gibt es eine ähnlich einfache Lösung ohne zusätzlich einen VPN Client auf dem Windows Rechner zu installieren. Weiterer Vorteil ist es wird nur Port 443 benötigt.

SSTP ist die Antwort darauf. Es ist ab Server 2008 R2 möglich
hier mal ein paar Links

SSTP unter Windows Server 2012

Sowie eine Anleitung dazu

http://marcowue.wordpress.com/2013/03/15/howto-sstp-vpn-verbindung-zu-windows-server-2008-r2-einrichten/

Client einrichten unter Windows 7

http://strongvpn.com/setup_windows_7_sstp.shtml