HomeAboutMailing ListList Chatter /0/0 35.153.135.60

Open VPN Access Server

2018-04-17 by: Mike Harrison
From: Mike Harrison 
------------------------------------------------------

Just installed an OpenVPN Access Server:

https://openvpn.net/index.php/access-server/overview.html

Not sure I like the license cost for more than 2 clients, 10 devices for $120 per year. But if it continues to work well: worth it.

I’m just thinking with things.. but wanted to share. 




=============================================================== From: Stephen Kraus ------------------------------------------------------ I run OpenVPN on both my Asus and my Pfsense internal box. I love it. On Mon, Apr 16, 2018, 10:37 PM Mike Harrison wrote:

=============================================================== From: kitepilot@kitepilot.com ------------------------------------------------------ Hmmmmmmmm... I've been running my own OpenVPN server for more than a decade. For free... No issues. How's that different? Other than the cost... ET Mike Harrison writes:

=============================================================== From: David White ------------------------------------------------------ I run my own OpenVPN server as well. Synology has a great VPN solution built into it, which supports IPSec as well as OpenVPN. That's what I use. But I've also setup OpenVPN on Linode before. Works like a charm.

=============================================================== From: Mike Harrison ------------------------------------------------------ I've both done it raw, and via pfSense. This is a set of tools that make admining the OpenVPN server via a web gui pretty simple. I'm playing around with solutions for a client, that this would allow them to do it themselves well. The license is for the web interface and tools, and I don't mind supporting the OpenVPN project. It seems to be something that could run a VPN Service Provider fairly well. I mean, something like this from Cisco would be much more expensive. X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcg bWFpbGluZyBsaXN0CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2Nn aS1iaW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1Zwo=

=============================================================== From: Stephen Kraus ------------------------------------------------------ You can also configure it with Google Authenticator for that extra nice security https://medium.com/@egonbraun/using-google-authenticator-mfa-with-openvpn-on-ubuntu-16-04-774e4acc2852 On Tue, Apr 17, 2018 at 8:38 AM, Mike Harrison wrote:

=============================================================== From: Stephen Kraus ------------------------------------------------------ Better Link: https://askubuntu.com/questions/301380/how-to-use-google-authenticator-with-openvpn-server-on-ubuntu-12-04 On Tue, Apr 17, 2018 at 8:39 AM, Stephen Kraus wrote:

=============================================================== From: Jonathan Calloway ------------------------------------------------------ Untangle integrates it as their VPN solution. The only problem is that the c= ustom Windows packages it generates are unstable. I=E2=80=99ve found it bes= t to download the community client die Windows and configure it manually.=20= I used an OpenVPN appliance at home for years until I switched to the ASUS v= ersion recently. I=E2=80=99ve found that it works wonderfully. Tinnelbliic= k in OS X makes it easy to use more than one connection if you need that. =20= Sent from my iPhone curity on-ubuntu-16-04-774e4acc2852 rote: i pretty simple.=20 m to do it themselves well.=20 ng the OpenVPN project. l. =20

=============================================================== From: Stephen Kraus ------------------------------------------------------ I generally just use the Windows client and import the configs into the client. I haven't had much luck with the generate installers either. d it best S liick in : ...

=============================================================== From: Dave Brockman ------------------------------------------------------ Cisco 25 User SSL VPN Annual subscription is ~$125 or less[1]. Licenses are ~$4/each, with a minimum of 25 required to order. Regards, dtb 1. https://www.cdw.com/product/Cisco-AnyConnect-Plus-subscription-license-1-= year-1-Year-Software-App/4085128 X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcg bWFpbGluZyBsaXN0CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2Nn aS1iaW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1Zwo=

=============================================================== From: Stephen Kraus ------------------------------------------------------ If I recall correctly OpenVPN Community Edition does not have a license limit.

=============================================================== From: Dave Brockman ------------------------------------------------------ If I recall correctly, OpenVPN Community Edition does not have a GUI to manage the server, which was OP's point. Regards, dtb X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcg bWFpbGluZyBsaXN0CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2Nn aS1iaW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1Zwo=

=============================================================== From: Stephen Kraus ------------------------------------------------------ That's what shell scripts and a simple interface are for, but yeah, I see your point. Tomato/DD-WRT implemented a simple management GUI for OpenVPN CE, so its not outside the bounds nor the capability of someone like Mike to implement.

=============================================================== From: "Alex Smith (K4RNT)" ------------------------------------------------------ =E2=80=8BI use SoftEther VPN server, open source and free, developed by the University of Tsukuba. https://www.softether.org/ It has OpenVPN, Microsoft and L2TP functionality and compatibility. Hope this helps. -Alex=E2=80=8B =E2=80=8C [image: Mailtrack] Sender notified by Mailtrack " 'With the first link, the chain is forged. The first speech censured, the first thought forbidden, the first freedom denied, chains us all irrevocably.' Those words were uttered by Judge Aaron Satie as wisdom and warning... The first time any man's freedom is trodden on, we=E2=80=99re al= l damaged." - Jean-Luc Picard, quoting Judge Aaron Satie, Star Trek: TNG episode "The Drumhead" - Alex Smith - Kent, Washington (metropolitan Seattle area) On Tue, Apr 17, 2018 at 8:34 AM, Stephen Kraus wrote: e

=============================================================== From: Dave Brockman ------------------------------------------------------ the It won't actually do a Site-to-Site IPSEC tunnel, it only does L2TP/IPSEC. Unfortunately, is not compatible with 95% of business VPN devices. If you control all end-points, it is viable. If you have partner networks to secure, this most likely will not help. Regards, dtb X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcg bWFpbGluZyBsaXN0CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2Nn aS1iaW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1Zwo=

=============================================================== From: Mike Harrison ------------------------------------------------------ Better than expected from Cisco. I am surprised. For this project,OpenVPn won because the target devices are approx 20 RasPi’s behind a wide variety of firewalls. So far, in the ONE case I’ve experimented with, I think it’s going to work well. When I get father along, I’ll write it up properly. —Mike--

=============================================================== From: Dave Brockman ------------------------------------------------------ asPi=E2=80=99s behind a wide variety of firewalls.=20 =99s going to work well. When I get father along, I=E2=80=99ll write it u= p properly.=20 You might also consider adding an ER-X to your testing mix. SSL VPN isn't offloaded, so they are going to be extremely performant, but I seem to find uses for them on a weekly basis. If you run an UNMS instance, the devices also report to a central platform, and with latest UNMS and latest EdgeRouter firmware, you have console access to the device, even if it's behind a firewall (that isn't too tightly locked down on outbound traffic). It's a JUNOS-ish CLI, based on VyOS. The new bigger brother, the ER-4 is really impressing me in routing and IPSEC performance for a $200 device. Regards, --dtb X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcg bWFpbGluZyBsaXN0CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2Nn aS1iaW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1Zwo=