Hacker News new | ask | show | jobs
by Florin_Andrei 3408 days ago
Yup, it's the most actively maintained branch of all the XXXswan projects.

My experience has been that it's trivial to setup for site-to-site IPSec tunnels using PSK. It's literally install the package, copy a config file from the docs, start the service, done. I've been using it in scenarios like this for a while, works great even when the remote ends of the tunnel are something else (Cisco appliances, AWS VPN endpoints, etc).

I'm a little less sure how to implement it as a VPN endpoint for employees. There are two main issues here:

1. Having to support a variety of clients (Android, iOS, Mac OS X - perhaps also Windows and Linux)

2. Doing multifactor authentication in a way that works well

Especially when considering #1 and #2 together, it seems difficult to meet all demands. How to do multifactor in a way that works with many different clients? I don't much care what the "factors" are as long as they are "multi". E.g. certificate + individual password.

If I only had to support, say, user/pass authentication, I think that would be somewhat easily doable.

Any clues?
1 comments
rantam0ct 3408 days ago
No idea for #1, but regarding multifactor, I've used Strongswan with Feitian PKI smartcards. Basically, I have one card that I set up as a CA and use to sign CSRs for "user" smartcards as well as for the VPN servers. You need to have your card and PIN to connect. The private keys are stored on the cards - no PSKs. This is something cool to do if you are cheap. You may be able to do this with Yubikeys, though I haven't tried this.

https://wiki.strongswan.org/projects/strongswan/wiki/SmartCa... https://github.com/OpenSC/OpenSC/wiki/Feitian-PKI-card

edit:

Some quick and dirty instructions to generate keys/certs that you can use with a Linux or Android client:

git clone https://github.com/ramann/smartcard-pki

cd smartcard-pki

git checkout vpn-phone

# Edit etc/vpn_server.conf to use your server's IP address

bash -x <(cat README.md | grep '`' | tr -d '`') # You really should generate the VPN server's key & request on the VPN server, but this is just to get something working

# Move vpn_server_key.pem, ca/signing-ca.crt, certs/vpn_server.crt, certs/phone.pem to your VPN server's /etc/ipsec.d/

# Edit your VPN server's /etc/ipsec.conf so that leftcert=vpn_server.crt and rightcert=phone.crt

# To set up your Android phone, just import the phone-and-ca.pfx file

# To set up your Linux client (Ubuntu 16.04 in my case), move phone_key.pem, ca/signing-ca.crt, certs/vpn_server.crt, and certs/phone.crt to /etc/ipsec.d

# Edit your client's /etc/ipsec.conf so that leftcert=phone.crt and rightcert=vpn_server.crt

# To start server: sudo ipsec start

# How to start the Android client should be obvious.

# To start linux client: sudo ipsec start; sudo ipsec up connection_name

link