[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 12/10/2019 16:40, Giles Coochey wrote: > > On 12/10/2019 16:25, Giles Coochey wrote: >> Hi All, >> >> It was good to be at Paignton Library for the South Devon Tech Jam >> this afternoon, disappointing we couldn't get my laptop on the >> projector - something I must look into. As I mentioned, I thought I >> would leave some of the reference URLs for further reference of VPNs: >> >> An Open-VPN based solution (consumer) - I have no affiliation with >> them, other than using Open-VPN open-source technology myself, and you >> can Google for other VPN providers, your choice should involve a >> combination of who you trust offset against your local network >> provider, and of course cost. >> >> https://www.privatetunnel.com/pricing/ >> >> The National Cyber Security Centre (UK) about SSL VPN Advisory: >> >> https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities >> >> A Similar Advisory Note from the NSA (US): >> >> https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF >> >> >> >> Cipher Suites supported by StrongSWAN (The IPsec site-to-site solution >> we explored in the talk), note - many of these Cipher Suites are also >> supported by OpenVPN, so the same advice as to their security >> provisions also apply, as they do with Pfsense solutions, cross >> referencing these with the recent advisories above should help you >> choose a secure configuration, perhaps not against the NSA themselves, >> but certainly about what they perceive others: >> >> https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites >> >> Legacy Example Configurations for StrongSWAN, while they are labelled >> "Legacy" this just means the Legacy method of configuration, as >> opposed to legacy methods of security. For me, I find them simpler to >> understand than the newer way of configuring StrongSWAN, the end >> result of security in implementation is the same: >> >> https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2StrokeExamples >> >> NetGate supply small appliances, to full enterprise solutions, but can >> also provide Open-Source PFsense images to run under any old x86_64 >> hardware should anyone want to investigate both OpenVPN or IPsec site >> to site VPN solutions without the need of involving a third-party (and >> thus avoiding necessary trust issues we discussed): >> >> https://www.netgate.com/solutions/pfsense/ > > The above link, only shows Appliance & Could solutions, if looking for > an in-house implementation then the open-source community site can be > found here: > > https://www.pfsense.org/download/ > >> >> As always, I'm available by Email for further in-depth advice, and >> opinion, which are my own of course! >> >> Best Regards, >> >> Giles Coochey >> >> PS - Paul - if you could forward these links to anyone at the talk, >> who might not have been on the DCGLUG list. >> >> > Additional information from a VPN veteran follows: pfsense have a rather tarnished reputation (google it) and the backing of a commercial company with a history of dubious actions - avoid. Opnsense is a forked alternative (opnsense.org) and generally a wiser choice. That being said, despite their reputation there is nothing particularly special about VPNs and one certainly doesn't need to limit their deployment to certain tailored firewall/gateway/vpn type distributions such as pfsense/opnsense. On Linux and BSD operating systems particularly deploying a VPN isn't complicated any more. Don't deploy VPNs on Windows if you value your sanity although that is probably redundant advice here. Tools such as Algo (https://github.com/trailofbits/algo) are suitable for novices and experts and greatly ease the deployment of VPNs to cloud infrastructure in a few easy steps. For anyone shopping for a commercial VPN service you have my sympathy - it's a minefield. For what it's worth I have a personal recommendation after years of trying out most of them: https://mullvad.net/en/ Usual disclaimers apply: I am in no way affiliated, etc, etc. Best I've found so far by a mile but obviously you should do your own research. Speaking of which this is _the_ place to start for VPN comparisons: https://thatoneprivacysite.net/ Finally, 'old' VPN technology is clunky and horrible and although it's taking forever to mainline into the kernel Wireguard has already seen serious uptake amongst the sort of people who actually have to work with and admin this stuff on a daily basis. https://www.wireguard.com/ Better in pretty much every way than the horrors of IPsec and OpenVPN - a simple Raspberry Pi at each end is more than powerful enough to handle basic site-to-site VPN links and Wireguard sets up, tears down and tolerates faults far better than the old alternatives. We don't do VPNs like we used to. They live in container instances and you manage them with systemctl or docker or k8s. Cheers -- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq