I’ve been considering deploying an open source VPN for a few years now. A little over a year ago we moved our mail, web, directory, and some data services for both my family and my business up to Amazon Web Services (AWS). As my company requires more remote work, a need to support secure access to the company’s internal network for remote workers became apparent. I wanted to go with open source, but the solution would need to meet the following criteria:
- Support more direct real time monitoring at a lower level integrating across cloud and office computing resources
- Provide controlled remote access via VPN to internal compute resources from any remote network
- Establishing a centralized VPN service leveraging my AWS footprint as a gateway
- Allow for more secure web access for workers by allowing redirection of all internet traffic through their VPN connections while they are connected at remote locations
- MS Windows XP & 7, OS X, Linux, and Unix computers must all be able to connect through the VPN
- Access via smart phones and tablets is highly desirable – I want to move with the market as hardware shifts to a smaller physical profile
OpenVPN had the best review in regards to overall management and had a capability of routing across networks on either side of the VPN connection. OpenVPN supports MS Windows as well as Linux and Unix variants – making it a great fit for my workforce. They also provide hosted solutions that are simpler to configure with less administrative overhead, however very small businesses will find that the cost of that solution supports a fair amount of over-provisioned compute capacity that could be shared with other services on a custom cloud configuration. The configuration of a custom instance allowed for certificate based authentication and leveraged revocation lists that tie everything in with my existing certificate base easily and seamlessly without giving up control of my certificate management infrastructure. Further investigation revealed a lack of native iOS support, however the GuizmOVPN application allowed connectivity to the OpenVPN if I were willing to jailbreak the iPhone to install the application. This led me to consider use of another VPN solution that could enable access through the most popular smart phone in use by my staff without jailbreaking the phone.
OpenSWAN appeared to be a good candidate as well with a proven compatibility with iOS, being based on L2TP and IPSec based technology. After a preliminary review of the more common configuration approaches listed in various websites, I developed some concerns regarding the use of single factor / password based authentication to gain access through OpenSWAN. While password authentication is subject to brute force attacks, certificate based authentication requires an attacker to first get a valid certificate that has been previously configured for the VPN and is generally much more secure as a consequence. In addition to my security concerns, I could not immediately find an example configuration to dynamically route across subnets on opposite sides of the connection to grant users appropriate access to computers on either side of the connection. Later, I found a reference at the gadget blog that seemed pretty promising but I have not yet had the time to independently verify the approach listed therein.
I resolved to set up both VPNs to verify this perception of functional gaps in each solution and measure the level of effort in maintaining the VPN infrastructure. I found that the OpenSWAN VPN solution did in fact allow for certificate based authentication, and could be easily configured for password based authentication following some moderately complex instructions. I was ultimately unsuccessful in verifying the configuration for OpenSWAN with an iPhone 4 running iOS 6 – further investigation in the forums showed that the negotiation for the connection had changed over time after the release of iOS 4 and, while several work arounds were proposed to address those changes, none worked in my configuration. Another possible option is StrongSWAN, referenced in the serverfault blog which I have yet to attempt on my network configuration. OpenVPN, on the other hand, proved to be much simpler to configure by making minor adjustments to examples found online and was easily verified in minutes after taking an hour or so to work through the basic configuration and customize the certificate configuration to leverage my internal certificate authority.
Ultimately, OpenVPN appears to be the best open source solution for a SOHO business to deploy VPN services for their work force in terms of overall simplicity and reliability of the configuration. The certificate based authentication does require manual installation of those certificates on every connecting client device and there are a number of additional steps required on the client to complete configuration. I have successfully scripted the creation of the certificate bundle and the server side configuration file to simplify configuration to the point where the user must only supply the machine name and then install the bundle on and configure the client. OpenSWAN, on the other hand, was proving too complex to configure and too difficult to script effectively.
The challenges in configuring the VPN for iOS and the changes Apple has made to the negotiation of the connection through their native tools on iDevices also leads me to believe that iPhones / iPads are not the best device for SOHOs requiring access via smart phones to their office networks via the VPN. The forum and blog entries I reviewed indicated that Apple is very discriminating in allowing vendors access to their VPN APIs making them more suitable for enterprise products from Cisco and other commercial vendors while open source solutions are left with marginal or no access to development resources or denied placement in Apple’s app store. Conversely, Android has a native application for OpenVPN which is very highly rated. Small businesses looking to provide VPN access to mobile users should likely encourage the use of Android phones or devices if they see a heavy need for VPN access by a mobile work force that primarily leverages smart phones or tablets.