Linux/Windows pure SSL "VPN" Solution

Linux/Windows pure SSL "VPN" Solution

[Small, Jim]

I have a situation (common) where I need access to my corporate network, but
the vendor will only allow traffic over ports 80 and 443.  The vendor would
like me to do an SSL VPN as they do not want to open other ports (read--no
IPSec).  I would like to do a Linux proof of concept solution using iptables
and some sort of Open Source SSL VPN (Linux server sitting on the Internet
or in one of our DMZs).

This looks promising:  http://www.hsc.fr/ressources/outils/ssltunnel/
It's just what I'm looking for but it doesn't support Windows clients.

I've looked at OpenVPN, CIPE, and vTun, but none of them appear to work only
over port 443.  OpenVPN works over 443, but also requires UDP/5000 which is
not possible.

Does anyone know of a pure (TCP/443 only) SSL Open Source solution?

Thanks,
   <> Jim

PS  I realize this is not a pure iptables question, so I'm prepared for
flames...  ;-)

Re: Linux/Windows pure SSL "VPN" Solution

[John A. Sullivan III]

On Wed, 2004-06-02 at 14:10, Small, Jim wrote:
> I have a situation (common) where I need access to my corporate network, but
> the vendor will only allow traffic over ports 80 and 443.  The vendor would
> like me to do an SSL VPN as they do not want to open other ports (read--no
> IPSec).  I would like to do a Linux proof of concept solution using iptables
> and some sort of Open Source SSL VPN (Linux server sitting on the Internet
> or in one of our DMZs).
> 
> This looks promising:  http://www.hsc.fr/ressources/outils/ssltunnel/
> It's just what I'm looking for but it doesn't support Windows clients.
> 
> I've looked at OpenVPN, CIPE, and vTun, but none of them appear to work only
> over port 443.  OpenVPN works over 443, but also requires UDP/5000 which is
> not possible.
> 
> Does anyone know of a pure (TCP/443 only) SSL Open Source solution?
> 
> Thanks,
>    <> Jim
> 
> PS  I realize this is not a pure iptables question, so I'm prepared for
> flames...  ;-)
It is on the long term road map for the ISCS project
(http://iscs.sourceforge.net) but I don't that will help you now unless
you have some human or financial resources to throw behind it. I'll be
curious to see how you fare - John
-- 
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevelopmentcorp.com

Re: Linux/Windows pure SSL "VPN" Solution

[Michael H. Warfield]

[-- Attachment #1: Type: text/plain, Size: 2240 bytes --]

On Wed, Jun 02, 2004 at 02:10:08PM -0400, Small, Jim wrote:
> I have a situation (common) where I need access to my corporate network, but
> the vendor will only allow traffic over ports 80 and 443.  The vendor would
> like me to do an SSL VPN as they do not want to open other ports (read--no
> IPSec).  I would like to do a Linux proof of concept solution using iptables
> and some sort of Open Source SSL VPN (Linux server sitting on the Internet
> or in one of our DMZs).

> This looks promising:  http://www.hsc.fr/ressources/outils/ssltunnel/
> It's just what I'm looking for but it doesn't support Windows clients.

	When I've been forced to do this, I generally use ppp over stunnel,
<www.stunnel.org>.  There are Windows binaries for stunnel, but getting
ppp running on that side may be a challenge.

	My general preference is IPSec NAT-T, which runs over 500/udp
and then 4500/udp, when straight IPSec (IP 50/51) is blocked but UDP
is open.

	Worse comes to worse, check out CCTT.  The Covert Channel Tunneling
Tool.  Lots of goodies in that set for tunneling under the worst of
circumstances.

	Which ever I use, I then layer IPv6 over top of that transport
and then have a complete routable addressable infrastructure I can access.

> I've looked at OpenVPN, CIPE, and vTun, but none of them appear to work only
> over port 443.  OpenVPN works over 443, but also requires UDP/5000 which is
> not possible.

	They have all UDP ports blocked (in bound and out bound)?  That
could be challenging, then.  Generally, once you initiate a connection
from the inside out, you can keep the ports open.  IPSec NAT-T seems
to include a keep-alive that keeps NAT tables fresh once the SAs are
established.

> Does anyone know of a pure (TCP/443 only) SSL Open Source solution?

> Thanks,
>    <> Jim

> PS  I realize this is not a pure iptables question, so I'm prepared for
> flames...  ;-)

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

[-- Attachment #2: Type: application/pgp-signature, Size: 307 bytes --]

Re: Linux/Windows pure SSL "VPN" Solution

[Dick St.Peters]

Small, Jim writes:
> I've looked at OpenVPN, CIPE, and vTun, but none of them appear to work only
> over port 443.  OpenVPN works over 443, but also requires UDP/5000 which is
> not possible.

OpenVPN defaults to port 5000 but does not require port 5000.  You can
run it without ever touching port 5000.

In addition, OpenVPN is advancing rapidly, and its author, Jim Yonan,
is very open to feature requests.  There is a substantial user base
and an active openvpn-users mailing list at sourceforge.net.

--
Dick St.Peters, stpeters@NetHeaven.com 

RE: Linux/Windows pure SSL "VPN" Solution

[CPD - David Cardeñosa Rubio]

[-- Attachment #1: Type: text/plain, Size: 1407 bytes --]


Hi

You can try ssh port forwarding(windows clients/linux), or ppp over ssh(only
works in linux/linux env). 
It's simple and easy to do for encript especific aplications.
The mayor problem happends when your aplications use dinamic ports(in ssh
port forwarding).


David

-----Mensaje original-----
De: Small, Jim [mailto:jim.small@eds.com]
Enviado el: miércoles, 02 de junio de 2004 20:10
Para: netfilter@lists.netfilter.org
Asunto: Linux/Windows pure SSL "VPN" Solution


I have a situation (common) where I need access to my corporate network, but
the vendor will only allow traffic over ports 80 and 443.  The vendor would
like me to do an SSL VPN as they do not want to open other ports (read--no
IPSec).  I would like to do a Linux proof of concept solution using iptables
and some sort of Open Source SSL VPN (Linux server sitting on the Internet
or in one of our DMZs).

This looks promising:  http://www.hsc.fr/ressources/outils/ssltunnel/
It's just what I'm looking for but it doesn't support Windows clients.

I've looked at OpenVPN, CIPE, and vTun, but none of them appear to work only
over port 443.  OpenVPN works over 443, but also requires UDP/5000 which is
not possible.

Does anyone know of a pure (TCP/443 only) SSL Open Source solution?

Thanks,
   <> Jim

PS  I realize this is not a pure iptables question, so I'm prepared for
flames...  ;-)


[-- Attachment #2: Type: text/html, Size: 2581 bytes --]