A bit about VPN: Add-ons to the software implementation overview
Not so long ago, in our blog, we published material on a review of software implementations of VPN, which caused quite a heated discussion. Then we promised to prepare the second part: this time we will look at the following software solutions for creating virtual private networks: AnyConnect VPN, OpenConnect VPN, SoftEther VPN, Tinc.
/ photo by Dave Crosby CC
')
Exploring the products offered by Cisco, it is quite difficult to ignore the words “Any Connect” - this name hides a solution developed by the vendor as a “next-generation” VPN client. And it does offer several progressive functions to protect the computers of companies.
For example, the product provides full SSL-based network access (TLS and DTLS) and IPsec, which allows remote clients to connect to almost any application or network resource, which is often used by organizations to increase access to corporate laptops.
The connection is made using the Cisco AnyConnect Secure Mobility Client, L2TP / IPsec VPN protocol and IPsec VPN. The solution automatically adjusts the tunneling protocol based on network limitations and uses the DTLS protocol to optimize the traffic that passes, such as VoIP or TCP access to applications.
Thanks to the distribution of SSL encryption used in browsers, AnyConnect provides remote access without a client, which allows access to network resources, web applications and terminal services applications (for example, Citrix), regardless of their location.
AnyConnect is able to determine the operating system, as well as antiviruses and firewalls installed on the client, before establishing a remote connection, which also has a positive effect on security. Additionally, it is worth mentioning the capabilities of telemetry. The system collects information about the origin of malicious content detected by antivirus software, which can be used to enhance network security by modifying URL filtering rules.
OpenConnect is an open application for connecting to virtual private networks with a point-to-point connection implementation, which was originally written as a replacement for the proprietary Cisco AnyConnect SSL VPN client. The reason for the development was a series of flaws found in the Cisco solution for Linux: lack of support for architectures other than i386 (for Linux platforms), lack of integration with NetworkManager, lack of competent support for RPM and DEB package formats, impossibility to work as an unprivileged user, code closure and other
OpenConnect (ocserv) was designed as a small, secure, and fast VPN server. It supports the OpenConnect SSL VPN protocol and is compatible with clients using the AnyConnect SSL VPN protocol — standard TLS and DTLS data transfer protocols are used. Moreover, OpenConnect provides a dual TCP / UDP VPN channel and can work with standard IETF security protocols.
The connection takes place in two stages. First, a simple HTTPS connection is established over which the user is authenticated (using a certificate, password or SecureID). After authentication, the user receives a cookie used to establish a VPN connection.
One of the main functions of ocserv is the separation of user privileges in order to increase security and fault tolerance, which is achieved by sharing TCP and UDP.
Daiyu Nobori began developing SoftEther VPN when he began his studies at Tsukuba University. In 2003, he released the first version of SoftEther, but received a warning from the government of Japan, which considered that the project falls under the definition of malware because of its ability to bypass firewalls. As a result, SoftEther was excluded from public access.
After some time - in April 2004 - Mitsubishi Materials Corporation offered Nobori to buy SoftEther 1.0 and sign a contract for 10 years (from April 2004 to April 2014), which gave the corporation the right to sell SoftEther and forbade the author to sell the program on their own. However, in March 2013, Nobori began to distribute the solution for free, and in January 2014, he managed to open it under the GPLv2 license.
SoftEther VPN is another powerful and simple VPN solution. SoftEther VPN is compatible with today's popular VPN products: OpenVPN, L2TP, IPsec, EtherIP, L2TPv3, Cisco VPN Routers and MS-SSTP VPN have versions for Windows, Linux, OS X, FreeBSD and Solaris.
The software consists of a server, a bridge server, a client, a GUI, and administration utilities. A client is needed to connect one computer to a LAN ( Remote Access VPN ), and a bridge server to connect two or more networks ( Site-to-Site VPN ). It should be noted that using the second option eliminates the need to separately configure the connection parameters for each specific client device — it is enough to configure one VPN gateway on the part of each of the connected networks. By the way, we have prepared a small practical guide to setting up a Site-to-Site VPN - you can find it here .
SoftEther VPN allows you to define a local bridge between the virtual hub and the physical Ethernet segment using the Local Bridge function, which allows you to exchange packets between the physical adapter and the virtual hub, and this, in turn, allows you to configure a remote tunnel from home or from a mobile device. You can also establish a cascade connection between two or more remote virtual hubs in order to merge two or more Ethernet segments into one.
Do not forget about the support of the means to bypass firewalls and systems for deep packet inspection, which a few years ago caused dissatisfaction with the Japanese government. To make it difficult to detect a tunnel in SoftEther VPN, a camouflaged Ethernet forwarding technique over HTTPS is supported, with a virtual Ethernet adapter implemented on the client side and a virtual Ethernet switch on the server side.
Since the publication of the binary version of SoftEther VPN Server, more than 80,000 successful server deployments have been recorded , most of which are in Japan, the United States and China.
Tinc is a VPN daemon and one of the contenders for the title of the smallest and simplest to set up a VPN implementation. The project started a long time ago, back in 1998, and active development continues to this day, but despite this, tinc looks like a mature product.
It allows you to connect computers through IPv4 / IPv6 networks running on operating systems such as Linux, BSD, Mac OS X, Solaris, Windows. In addition, work is supported on the iPhone and iPod.
Tinc has several interesting features. All traffic is optionally compressed using zlib or lzo, and LibreSSL or OpenSSL is used for encryption - this allows you to protect the transmitted data from being modified.
Interestingly, regardless of the configuration of the tinc daemons, if possible, the VPN traffic is sent directly to the destination without making any “hooks”, and the introduction of new nodes is done by simply adding a configuration file — there is no need to launch new daemons or create new devices.
Today, tinc is available in the repositories of most distributions, and the installation package for Windows can be downloaded from the official website. The developers took the course to simplify the installation and setup of systems based on tinc, and the documentation on the website reflects all the important issues, including installation features in various operating systems.
To deploy VPN in your infrastructure, you can always use the services of third-party VPN providers, but it is worth noting that their services are expensive, especially if you need to connect a large number of clients to the network at once. In this case, the provider receives your corporate and personal data - not every company is ready to take this step.
A more reliable and flexible solution seems to be self-tuning of virtual private networks on physical or virtual servers ( VPS / VDS ). The benefit of the Internet is a large number of detailed instructions. We also offer our option using the cloud VPS / VDS server from 1cloud (for Windows and for Linux ). Such a solution can easily scale to the current load on the virtual private network.
PS If you are interested, then we are ready to share our experience in developing an IaaS provider 1cloud . Here are some interesting materials prepared by us:
/ photo by Dave Crosby CC
')
AnyConnect VPN
Exploring the products offered by Cisco, it is quite difficult to ignore the words “Any Connect” - this name hides a solution developed by the vendor as a “next-generation” VPN client. And it does offer several progressive functions to protect the computers of companies.
For example, the product provides full SSL-based network access (TLS and DTLS) and IPsec, which allows remote clients to connect to almost any application or network resource, which is often used by organizations to increase access to corporate laptops.
The connection is made using the Cisco AnyConnect Secure Mobility Client, L2TP / IPsec VPN protocol and IPsec VPN. The solution automatically adjusts the tunneling protocol based on network limitations and uses the DTLS protocol to optimize the traffic that passes, such as VoIP or TCP access to applications.
Thanks to the distribution of SSL encryption used in browsers, AnyConnect provides remote access without a client, which allows access to network resources, web applications and terminal services applications (for example, Citrix), regardless of their location.
AnyConnect is able to determine the operating system, as well as antiviruses and firewalls installed on the client, before establishing a remote connection, which also has a positive effect on security. Additionally, it is worth mentioning the capabilities of telemetry. The system collects information about the origin of malicious content detected by antivirus software, which can be used to enhance network security by modifying URL filtering rules.
OpenConnect VPN
OpenConnect is an open application for connecting to virtual private networks with a point-to-point connection implementation, which was originally written as a replacement for the proprietary Cisco AnyConnect SSL VPN client. The reason for the development was a series of flaws found in the Cisco solution for Linux: lack of support for architectures other than i386 (for Linux platforms), lack of integration with NetworkManager, lack of competent support for RPM and DEB package formats, impossibility to work as an unprivileged user, code closure and other
OpenConnect (ocserv) was designed as a small, secure, and fast VPN server. It supports the OpenConnect SSL VPN protocol and is compatible with clients using the AnyConnect SSL VPN protocol — standard TLS and DTLS data transfer protocols are used. Moreover, OpenConnect provides a dual TCP / UDP VPN channel and can work with standard IETF security protocols.
The connection takes place in two stages. First, a simple HTTPS connection is established over which the user is authenticated (using a certificate, password or SecureID). After authentication, the user receives a cookie used to establish a VPN connection.
One of the main functions of ocserv is the separation of user privileges in order to increase security and fault tolerance, which is achieved by sharing TCP and UDP.
SoftEther VPN
Daiyu Nobori began developing SoftEther VPN when he began his studies at Tsukuba University. In 2003, he released the first version of SoftEther, but received a warning from the government of Japan, which considered that the project falls under the definition of malware because of its ability to bypass firewalls. As a result, SoftEther was excluded from public access.
After some time - in April 2004 - Mitsubishi Materials Corporation offered Nobori to buy SoftEther 1.0 and sign a contract for 10 years (from April 2004 to April 2014), which gave the corporation the right to sell SoftEther and forbade the author to sell the program on their own. However, in March 2013, Nobori began to distribute the solution for free, and in January 2014, he managed to open it under the GPLv2 license.
SoftEther VPN is another powerful and simple VPN solution. SoftEther VPN is compatible with today's popular VPN products: OpenVPN, L2TP, IPsec, EtherIP, L2TPv3, Cisco VPN Routers and MS-SSTP VPN have versions for Windows, Linux, OS X, FreeBSD and Solaris.
The software consists of a server, a bridge server, a client, a GUI, and administration utilities. A client is needed to connect one computer to a LAN ( Remote Access VPN ), and a bridge server to connect two or more networks ( Site-to-Site VPN ). It should be noted that using the second option eliminates the need to separately configure the connection parameters for each specific client device — it is enough to configure one VPN gateway on the part of each of the connected networks. By the way, we have prepared a small practical guide to setting up a Site-to-Site VPN - you can find it here .
SoftEther VPN allows you to define a local bridge between the virtual hub and the physical Ethernet segment using the Local Bridge function, which allows you to exchange packets between the physical adapter and the virtual hub, and this, in turn, allows you to configure a remote tunnel from home or from a mobile device. You can also establish a cascade connection between two or more remote virtual hubs in order to merge two or more Ethernet segments into one.
Do not forget about the support of the means to bypass firewalls and systems for deep packet inspection, which a few years ago caused dissatisfaction with the Japanese government. To make it difficult to detect a tunnel in SoftEther VPN, a camouflaged Ethernet forwarding technique over HTTPS is supported, with a virtual Ethernet adapter implemented on the client side and a virtual Ethernet switch on the server side.
Since the publication of the binary version of SoftEther VPN Server, more than 80,000 successful server deployments have been recorded , most of which are in Japan, the United States and China.
Tinc
Tinc is a VPN daemon and one of the contenders for the title of the smallest and simplest to set up a VPN implementation. The project started a long time ago, back in 1998, and active development continues to this day, but despite this, tinc looks like a mature product.
It allows you to connect computers through IPv4 / IPv6 networks running on operating systems such as Linux, BSD, Mac OS X, Solaris, Windows. In addition, work is supported on the iPhone and iPod.
Tinc has several interesting features. All traffic is optionally compressed using zlib or lzo, and LibreSSL or OpenSSL is used for encryption - this allows you to protect the transmitted data from being modified.
Interestingly, regardless of the configuration of the tinc daemons, if possible, the VPN traffic is sent directly to the destination without making any “hooks”, and the introduction of new nodes is done by simply adding a configuration file — there is no need to launch new daemons or create new devices.
Today, tinc is available in the repositories of most distributions, and the installation package for Windows can be downloaded from the official website. The developers took the course to simplify the installation and setup of systems based on tinc, and the documentation on the website reflects all the important issues, including installation features in various operating systems.
Instead of conclusion
To deploy VPN in your infrastructure, you can always use the services of third-party VPN providers, but it is worth noting that their services are expensive, especially if you need to connect a large number of clients to the network at once. In this case, the provider receives your corporate and personal data - not every company is ready to take this step.
A more reliable and flexible solution seems to be self-tuning of virtual private networks on physical or virtual servers ( VPS / VDS ). The benefit of the Internet is a large number of detailed instructions. We also offer our option using the cloud VPS / VDS server from 1cloud (for Windows and for Linux ). Such a solution can easily scale to the current load on the virtual private network.
PS If you are interested, then we are ready to share our experience in developing an IaaS provider 1cloud . Here are some interesting materials prepared by us:
Source: https://habr.com/ru/post/308870/
All Articles