What is easiest VPN protocol & router for IPhone, Android etc client

[wylie]

Hi

Small business user here. I have an office LAN that is behind a couple of firewalls:

DSL modem -> router/firewall -> linux iptables gateway -> Switch -> LAN
.................192.168.0.1 192.168.0.2 / 192.168.1.1 192.168.1.*

The router has firewall rules to block all incoming ports except a few services (mail, web, sip and a few others). All inbound and outbound traffic has to go through the linux gateway which has a redundant iptables setup to really make sure nothing is getting through. The gateway is also running as a transparent proxy on outbound port 80 to redirect web traffic through squid (caching and site blocking).

I am thinking of getting a new router that supports VPN, so that I can do road warrior type connections from Mac OSX, Windows Vista/7, Androids or IPhones. I see that there are several protocols out there (PPTP, IPSec, L2TP/IPSec, SSL). It also seems like each router provides a different level of support for each of these protocols. So much for standards! Anyway, I have a couple of questions about how all of this works.

1) What protocol has the least hassles? Or put another way, what protocols should I stay away from? I hear that PPTP is old and insecure. I have read the SSL has the least number of problems in terms of getting from the client to the server (usually no problems getting through firewalls/nat etc). It looks like L2tp/IPSec has good native support. Is it possible to make a definitive recommendation that one protocol is the best trade-off for simplicity and security for road warrior use?

2) What would be the best protocol to support if I don't want to have to mess with proprietary client access software? I know that Mac supports L2TP/IPSec out of the box, and I think IPhone does also. I don't know about Android or Windows. Is this the way to go? How good are the SSL clients and where do I get them from?

3) I was looking at the D-LINK DSR-500N router that seems to support all of these protocols, plus the release notes say that the latest firmware supports OpenVPN. I have not been able to find a review of this router any where. I am reluctant to purchase without hearing from someone (anyone!) about their experience. Will it work seamlessly with IPhone and Android clients? Has anyone got a DSR-500N and can vouch for it?

4) How will the VPN router work with my linux gateway? Right now only a few ports are allowed in to the LAN. I assume that the VPN tunnel will want connect directly to the LAN, not to the outside of the gateway.

Like this?
.....................192.168.0.1 192.168.0.2 / 192.168.1.1 192.168.1.*
dsl model -> VPN router/firewall -> linux iptables gateway -> Switch -> LAN
................................\
.................................192.168.2.* ---------------> Switch -> LAN

How will machines on the LAN figure out the routing?

I don't understand how this can work. Should I put another interface card in to the linux gateway for VPN connections, and set up VLAN's on the router to keep the traffic separate like this:

.....................192.168.0.1 192.168.0.2 / 192.168.1.1 192.168.1.*
dsl model -> VPN router/firewall -> linux iptables gateway -> Switch -> LAN
................................\ ___ /
......................192.168.2.1 --- 192.168.2.2


Thanks for any help to any and all of these questions.

 

[thiggins]

PPTP is fine enough unless you're doing HIPAA stuff and it's supported by all the platforms you named.

Win 7's native VPN client handles L2TP/IPsec. I've gotten it to work on routers where the supplied IPsec client wouldn't work.

IPsec has traditionally been the hardest to deal with, so I'd put that last on the list.

SSL isn't always as easy as it sounds depending on how it's implemented. Some SSL gateways let you access certain common network functions via HTTPS browser connection. But to open a full tunnel for everything, Java applets are typically used. These have been known to not work on all OSes.

I defer to the more knowledgeable SNB Forum regulars for the routing questions.

 

[YeOldeStonecat]

I'm a fan of SSL, it's shown itself to be the easiest for end users to use, and the easiest for the IT guy to support. Far far less issues than the troublesome IPSec clients of years ago.

OpenVPN is another good one, it has a client, but it's rather problem free. Many linux based firewalls support this.

As for your router setup, I'd simplify it with 1x good router at the edge, instead of having 2x routers and a double NAT situation. There is no benefit to double NAT, only the potential for issues. Have one good UTM appliance at the edge, like Astaro or Untangle.

 

[wylie]

Thanks for the suggestions.

I'm a fan of SSL, it's shown itself to be the easiest for end users to use, and the easiest for the IT guy to support. Far far less issues than the troublesome IPSec clients of years ago.

I only have a single IP address, so all outward facing services are port forwarded to internal servers. How does the SSL VPN does this work if I have a https server running inside on the LAN? Will port 443 get intercepted for VPN connections and then I'll lose access to the https server?

As for your router setup, I'd simplify it with 1x good router at the edge, instead of having 2x routers and a double NAT situation.

In that case, what would happen to the Linux gateway that I was using as a transparent proxy for http, routing everyone through squid? Would all the machines on the LAN use the router as the gateway, or could traffic still get routed through the Linux gateway?

There is no benefit to double NAT, only the potential for issues.

The reason I did it that way was paranoia: I really wanted to make sure that I did not leave a hole in the firewall, and having two firewalls in place seemed like if I made a mistake in one it could be caught be the other. Right now there is not much natting happening on the router, since it is all getting done in iptables on the linux box.

Have one good UTM appliance at the edge, like Astaro or Untangle.

It sounds appealing to only have a single reliable UTM appliance. I am running some anti-spam and defanging software on my mailserver, so getting a UTM is incremental to what I have already. Ideally I would like to have a UTM that had a snort-like tool to watch outbound traffic for anomalies (outbound from the lan is mostly http, the standard microsoft update stuff from desktop boxes, sip from the voip box. Anything else should be flagged). Can untangle do this?

Any suggestions for hardware to run Untangle on? I only a couple of users so I don't need a high power solution. Reliability is more important.

 

[spooony]

Use OpenVPN. OpenVPN is a combination of SSL and IPSEC, The ease of setting up of ssl and the security of IPSEC

 

[YeOldeStonecat]

Use OpenVPN. OpenVPN is a combination of SSL and IPSEC, The ease of setting up of ssl and the security of IPSEC

I wouldn't match OpenVPN to the "ease of setting up ssl".....true SSL VPN is browser based, there is no software client to install like OpenVPN...or clunkier IPSec VPN. Granted...OpenVPN is easier to implement on both ends than IPSec.

 

[spooony]

The myth that Secure Socket Layer (SSL) Virtual Private Network devices (VPNs) are used to connect applications together is not true. The commercial SSL VPN market has falsely labored under this misdirected paradigm, but it is a mishandling of terms and represents an untrue statement.

A VPN is a site-to-site tunnel. Let me say that one more time, a VPN is a site-to-site tunnel. There is a terrible misunderstanding in the industry right now that pigeon-holes SSL VPNs into the same category with SSL enabled web servers and proxy servers. People hear SSL and immediately think of a protocol that encrypts traffic for an application, or for several applications, one at a time via proxying, application translation, or port forwarding. This is NOT a VPN. It is an application level gateway, a firewall, or an SSL gateway, but it is not a VPN. A VPN, or Virtual Private Network, refers to simulating a private network over the public Internet by encrypting communications between the two private end-points.

In the past, SSL/TLS was a general protocol that would be tightly coupled with specific applications, thus the extreme confusion about what an SSL VPN really is. It would be used to secure session communication between two hosts using a single application or protocol at a time. The most well known use of SSL is in the HTTPS protocol to enable secure web-based ecommerce. SSL is the default security solution for application to application needs, but it has never been implemented to handle arbitrary multiple protocols at the same time, until OpenVPN arrived

 

[YeOldeStonecat]

The myth that Secure Socket Layer (SSL) Virtual Private Network devices (VPNs) are used to connect applications together is not true.

A VPN is a site-to-site tunnel. Let me say that one more time, a VPN is a site-to-site tunnel.

The first part...a VPN can be used to connection applications, such as when you setup a wide area network (WAN). Server(s) at one location, clients/workstations at a satellite location, programs connecting from satellite to mothership. A VPN can be used for many things.

As for the help with teaching us that a VPN is a site to site tunnel, don't need the condescending talk...I live and breath this stuff every single day, I do this for a living. Right now matter of fact I'm getting hardware and software together for a 6 site WAN that will be connected via OpenVPN. Yes I use OpenVPN too, prefer SSL for "road warriors", and sometimes get stuck still using IPSec.

You sure seem to pimp OpenVPN a lot...99% + of your posts resurrect some VPN thread where you just reply with "Use OpenVPN". I smell some spam signatures fairly soon to some affiliate advertising website for it.

 

[spooony]

The first part...a VPN can be used to connection applications, such as when you setup a wide area network (WAN). Server(s) at one location, clients/workstations at a satellite location, programs connecting from satellite to mothership. A VPN can be used for many things.

As for the help with teaching us that a VPN is a site to site tunnel, don't need the condescending talk...I live and breath this stuff every single day, I do this for a living. Right now matter of fact I'm getting hardware and software together for a 6 site WAN that will be connected via OpenVPN. Yes I use OpenVPN too, prefer SSL for "road warriors", and sometimes get stuck still using IPSec.

You sure seem to pimp OpenVPN a lot...99% + of your posts resurrect some VPN thread where you just reply with "Use OpenVPN". I smell some spam signatures fairly soon to some affiliate advertising website for it.

have you ever heard of the exclude rule? Clearly not
Go check out your nose your clearly smelling something thats not there

 

[wylie]

Use OpenVPN.

After investigation, it turns out that OpenVPN is poorly supported on the IPhone. There is a client out there but it requires jailbreaking and has some limitations.

 

[Dr Strangelove]

L2TP/IPsec server

L2TP/IPsec is basically all you have on a standard Android smartphone without rooting the phone.

I already have an OpenVPN client/server setup using Windows Notebooks and Linksys E4200 running Tomato firmware. This works well.

However, this doesn't help me with my Android and like wylie, I came across the D-Link DSR-250.

This indicates support for an L2TP/IPsec server.

Is there any other 'routers' around that support a L2TP/IPsec server for a one man and his dog setup. The D-Link DSR-250 seems a bit bespoke and may not be available in New Zealand (that I can quickly see from my check)

Most low end router and firmware options only support OpenVPN or L2TP/IPSec Pass-Thru.

Any thoughts?

 

[thiggins]

The Router Finder with L2TP filter set shows three we have reviewed:
Draytek Vigor 2830n Plus
Draytek Vigor 2130n
NETGEAR FVS318N