Sent from my Verizon Wireless BlackBerry
A few more great things about OpenVPN:
1). The whole setup below can be duplicated on a separate server in less than an hour should a server crash
2). The second server does not require additional licensing
3). The UDP protocol can easily be switched to TCP 443 to get through pesky firewalls
4). Vista 64-bit works with the latest OpenVPN GUI
5). Log Files easily show all access by username
RSA is a ripoff, they’re following in the footsteps of Microsoft and unfortunately many companies believe RSA is the only way to secure their network.
They’re wrong, and here’s why:
OpenVPN + Server Cert/Key + Pam Authentication Module = FREE two factor authentication.
First, let’s define two factor authentication: It’s nothing more than two requirements when you logon, tunnel or gain access to a network. For example you have a “pincode” or “password” that never changes. In addition you might have a key chain “token” that is constantly changing. Access requires both, and because the key chain token is always changing it becomes very difficult for the wrong person to gain access.
Little background on industry: The Citrix Access Gateway is probably the industry standard at providing a single factor authentication gateway for a small company. I’m guessing most companies concerned with security have something very similar. The gateway or “CAG” sits behind the companies firewall and accepts authentication requests. That’s the first factor, the second is generally a token like system requiring users to carry around a silly key chain. Why? If a user has a private certificate of authority AND a username/password access is still two factor.
What absolutely amazes me is that there are open source applications that can provide 2 factor authentication for FREE.
Here’s what a working OpenVPN server config looks like using PAM:
#Define the ip address for the tap0 virtual device
server 10.8.0.0 255.255.255.0
#route to be established on the server
route-up “route delete -net 10.8.0.0/24”
route-up “route add -net 10.8.0.0/24 tap0”
#Allow Clients to talk to one another
#Push the same ping to the server….
push “ping 10”
push “ping-restart 60”
push “route 172.16.4.0 255.255.255.0” #route to another subnet
push “route 172.16.5.0 255.255.255.0” #route to another
push “route 172.16.51.0 255.255.255.0” #route to one more
push “route 172.16.8.0 255.255.255.0” #route to and another
push “route 172.16.81.0 255.255.255.0” #route to some place
push “route 172.16.70.0 255.255.255.0” #route to northern US
push “route 172.16.33.0 255.255.255.0” #route to more north
push “dhcp-option DOMAIN companyname.com” #push the DNS domain suffix
# Keep tunnel open with ping every 10 Seconds, restart ever 120 Seconds
keepalive 10 120
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
I’m going to skip a whole bunch of steps to get this working (see openvpn.org) but if the server is running with the above configuration (with no errors) you’ll have a two factor authentication: 1). Using the signed Certificate of Authority and 2). The username/password on the Linux box access by the openvpn-auth-pam.so module above.
Win XP/Vista/32bit/64bit Client Setup:
1). Install OpenVPN GUI v1.0.3
2). Load the ca.crt and client.opvn file.
Here’s an example of the client.ovpn file:
remote 184.108.40.206 1194 (220.127.116.11 should be the public ip of the server)
Save yourself $10k or $20k, learn OpenVPN.