Best VPN server to use on Fedora

Michael H. Warfield mhw at wittsend.com
Thu Oct 27 15:00:21 UTC 2005 

On Thu, 2005-10-27 at 05:39 -0700, Rick Lim wrote:
> 
> -----Original Message-----
> From: fedora-list-bounces at redhat.com [mailto:fedora-list-bounces at redhat.com]
> On Behalf Of Leonard Isham
> Sent: Thursday, October 27, 2005 4:50 AM
> To: For users of Fedora Core releases
> Subject: Re: Best VPN server to use on Fedora

	:

> > Hi Kenneth,
> >
> > I have looked at OpenVPN, from what I can figure out.... with a Linux VPN
> > server and windows xp clients you would have to install OpenVPN on the
> > windows machine.
> >
> > I don't want to have to install OpenVPN on each windows machine, windows
> xp
> > already has a client built in, I would like a Linux server that would work
> > with the built in windows client, am I wrong in assuming that OpenVPN on
> the
> > Linux box will not work with the XP client?


> While I don't know your situation...

> The MIcrosoft included Windows VPN clients are insecure.  Which has
> been proven multiple times.  I would only impliment a Windows solution
> under protest.  In fact I have migrated people to OpenVPN.

> I find the installation of the windows client trivial and you end up
> with a reliable secure solution.

> --
> Leonard Isham, CISSP
> Ostendo non ostento.
> 
> Not trying to doubt your word, but can you point me towards articles to
> prove the built in VPN to be less than desirable?

	He's thinking of the old Windows NT / Windows 2000 PPTP VPN which was
horrible.  Bruce Schneier (of Applied Cryptography fame) and Mudge
(L0pht) tore it to shreads and MS partially fixed some of the problems
they uncovered.  It was supported under Linux through the PopTop project
but I wouldn't use it at gunpoint.  It also had troubles with NAT
devices because it used GRE (IP protocol 47) encapsulation tunnels which
were not real well supported.

	Windows XP supports IPSec NAT-T for its VPN and it does interoperate
with Linux (OpenSWAN, StrongSWAN, or Racoon).  I would recommend you
check out the OpenSWAN project for more documentation on setting all
that up and setting up the X.509 certificates you're going to need.  I
haven't personally set one of these up but there are people on the
OpenSWAN list who have discussed doing exactly what you are trying to
do.

> I have to be able to prove my case to my users that the installation of
> "another" client is required......

> Thanks.

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com  
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20051027/2612b3cc/attachment-0001.sig>

More information about the fedora-list mailing list