The Static IPsec apps were never written with mobile devices in mind so you'd be a bit of a trail-blazer. If you don't want to trail-blaze, OpenVPN would be a better solution. I have it working from Windoze PC's, a Raspberry Pi, Android and iOS (iPad) and it is simple (the Pi was the hardest).

If you want to use IPsec, IKEv2 may be a better way to go but you'd need to configure everything manually.

If you want to use the app interface then I don't know which features your mobile o/s supports. In the webconfig you may be able to set the remote gateway to %any and not set the remote subnet. Similarly for the PSK the remote entry must be %any. For multiple devices you would need multiple conns, but they would all have to share the same PSK.

If the above does not work, try flipping the mode to Aggressive mode. In aggressive mode you can use a Remote ID for the PSK and in the conn, but you need to specify both the phase 1 and phase 2 algorithms as they don't automatically negotiate.

IPsec would allow you to connect in these modes without a password. The same can be achieved in OpenVPN just by commenting out one line in the .ovpn file and one line in the clients.conf, so security just relies on certificates.

Thanks again Nick.

The reason why i am looking at IPsec is that it is 'defined' in OS on iOS. Both iOS and Mac got rid of PPTP with their major firmware update. And since i would like to avoid shoddy OpenVPN clients on mobile devices (i.e. ios) into which i have no code/quality insight (and with some uneducated paranoia that defacto you are trusting some random app), left me feeling less safe than PPTP.

Without starting a debate <please nobody do it on this thread> if that should have been a company choice (small business) vs platform (eg Apple) responsibility <there can be a whole religiously flaming thread there>, i am left with choice between iPsec and OpenVPN.

I am not in the position of trailblazing just yet, if i dont have to. I am trailblazing enough just wrapping my head about setting up a decently functional server.

So let's say i do embrace OpenVPN app, my question about OpenVPN on ClearOS is that ClearOS provides three certificates - Windows, Linux and Mac. Which of these should be used for Android and iOS? If one of those works, that would help. And if i can leverage just certificates, that would be great. You mention a commenting a line in .ovpn - is that auth-user-pass? also, which line in clients.conf ?

Thanks!

Andreja Djokovic wrote:
So let's say i do embrace OpenVPN app, my question about OpenVPN on ClearOS is that ClearOS provides three certificates - Windows, Linux and Mac. Which of these should be used for Android and iOS? If one of those works, that would help. And if i can leverage just certificates, that would be great. You mention a commenting a line in .ovpn - is that auth-user-pass? also, which line in clients.conf ?

Thanks!

That is not quite right. The ClearOS app provides three certificates/keys and a pk12 file which also contains all three. I don't think I've ever needed the pk12 file but you need all three individual files It also provides two configuration files, Windoze and Linux (the rest). In Windoze use the Windoze file and use the Linux one for all other o/s's. From memory there is only one line difference between them.

To remove user/pass authentication comment out the auth-user-pass line in the .ovpn file and similarly comment out the "plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so openvpn" line in /etc/clients.conf. While you are in clients.conf, also add the line "reneg-bytes 64000", This is because of a relatively recently discovered security flaw which does not get fixed until client and server software is upgraded to v2.4 of OpenVPN. I suspect it will be a while before RHEL adopt this version for the server and I've no idea about the client status. If you remove user/pass authentication, in Windoze you can enable the OpenVPN service and it will automatically connect when the PC starts without any user intervention. This is great for my elderly mother and mother-in-law as it always means I have remote access to give help via VNC

In terms of clients, on Android I use the OpenVPN Connect app which claims to be the official app and it is simple to use. I can't remember what I use on iOS. I'll have to check.

This situation is dire!
I just discovered that Apple Mac no longer has PPTP. I read all this gumph about PPTP being the worst protocol ever and anyone still using it is a total idiot. SO I think ah that's easy OpenVPN is probably the same thing. It's not and neither is IPSec. There does not seem to be a protocol which does what PPTP does that's on both a MAC and ClearOS 7.

Customer has an Apple Mac laptop and simply wants to VPN into the LAN. IPSec can't do it because I need to know too much about the remote end of the network.
OpenVPN can't do it because ClearOS does not seem to support it properly.

It's not really ClearOS fault that Apple dropped a perfectly good protocol and did not replace it with something better but surely someone has solved this?

Is everyone using "The Cloud" or something to solve the issue of working from home?

My current idea is to buy an ASUS router and use the PPTP on that to get into the LAN.

What is the problem with Mac's and OpenVPN? Dave Loper uses it all the time to connect to some customer machines.

IPsec is possible but you'd need to do a complete manual configuration of Libreswan uning information on their web site.

Nick Howitt wrote:

What is the problem with Mac's and OpenVPN? Dave Loper uses it all the time to connect to some customer machines.

....

I've no clue how to make OpenVPN work. Don't know where to start. So many config files. How to I create the certificate, where do I put it. It's a mess.

Wayland Sothcott wrote:

Nick Howitt wrote:

What is the problem with Mac's and OpenVPN? Dave Loper uses it all the time to connect to some customer machines.

....

I've no clue how to make OpenVPN work. Don't know where to start. So many config files. How to I create the certificate, where do I put it. It's a mess.

Try installing the app and reading its documentation (the slanted book icon).

Give each user access to OpenVPN and Certificates. For each user, get them to log on to the webconfig and download four files (no need generally for the pkcs12 file) from one screen (OpenVPN profile, CA Cert, User Cert and User Key). This includes the certificates which are created automatically. Follow the app documentation for you client.

Is this right? It's at least attempting to connect.

I've never used an Apple MAC. Did you import the .ovpn file into the MAC? You should do this rather than try to set up the connection from scratch manually.

There may be an easier way to create the profile in the MAC but you have to do some prep work. Create a "unified" ovpn file as mentioned in the alternative method. This may then just allow you to import the profile and certificates by double-clicking by the file attached to an e-mail. This works in iOS so may well work in a MAC. Longer term ClearOS will be going to this unified file format.

Nick Howitt wrote:

I've never used an Apple MAC. Did you import the .ovpn file into the MAC? You should do this rather than try to set up the connection from scratch manually.

How do I create an .ovpn?

Wayland Sothcott wrote:

Nick Howitt wrote:

I've never used an Apple MAC. Did you import the .ovpn file into the MAC? You should do this rather than try to set up the connection from scratch manually.

How do I create an .ovpn?

That example was from Linux Mint 19.

The .ovpn file is one of the files you should have downloaded at the same time as when you downloaded your certificates.

OK, with your help I have figured out OpenVPN on Linux Mint to ClearOS7.

My sticking point was that OpenVPN requires a bunch of certificates and I did not know how to get them.
Opening the ClearOS WebUI as the intended VPN user provides access to the certificates via a link on the user logo on the top right. Username in my example is VPN.
It's possible to download a suitable .ovpn config file but Mint does not seem to use this.
I expect I should have save the certificates somewhere sensible but they are in my downloads. See attached as to which cert file goes in which box.
Notice I chose password with certificates so I could enter the ClearOS user name and ClearOS password.
When I created the OpenVPN I also set a password which I put in the empty password box. I dunno if that did anything.

This is a pain having to download and save the certificates from ClearOS onto the client but even more so when it's not clear how this is done. Obviously I know know. Contrast this with PPTP where you really only need to know three things which you probably know anyway. Server public address, your username and your password. Is it this shenanigans with the certificates which makes OpenVPN secure and PPTP insecure?

Anyway I have downloaded a MAC .ovpn and am altering it as per these instructions;
https://www.clearos.com/resources/documentation/clearos/content:en_us:7_ug_openvpn#alternative_method
in order that OpenVPN client only needs to be given the file and it has access. That does seem less secure though. If I email them this .ovpn file someone else could get hold of it.

Lets see if I can VPN from a MAC now.

When creating certificates, using the password only affects using the pkcs12 certificate which I have never used. The other certificates are unencrypted.

I am surprised Mint cannot import an ovpn file somehow or you may have to specify some of the settings by hand. For certificates, I'd put them somewhere else. Perhaps look at the Mint app's documentation for suggestions.

The problem with PPTP is that it uses a broken encryption method in a way that could not be patched. PPTP is Microsoft's product and even thay say not to use it. Even OpenVPN and any other encryption needs to be reviewed periodically. The problem is that as computers get more powerful it becomes easier to crack encryption. A while back we upgraded OpenVPN to 2.4 as it enabled better encryption methods to be chosen automatically as a vulnreability had appeared for weak ciphers.

As far as I am aware the certificates are only used during the initial negotiation with a very odd form of validation. Locally your machine validates that your certificate and key were issued by your CA then the handshaking only checks that both CA's are the same. As a result of this any user can use any other user's certificate. It is not tied to the logon username. We wish it was, but then we'd have to rewrite all the client packages for every distro. Certificates only really seem to give an extra layer to the user validation rather than the encryption. It is possible to run OpenVPN without certificates. Our HowTo for server-server connections does just that.

Security can be taken one stage further by use of CRL's so you can revoke certificates but we don't do that for the moment.

"The problem with PPTP is that it uses a broken encryption method in a way that could not be patched."
As is typical with intelligent people, you are focusing on making the locks on the front door even more secure whilst leaving the windows open and the key under the mat.
I don't believe the problem with VPN is people hacking into the data stream, it's people getting hold of they keys/passwords and just using VPN in the normal way. The most obvious way would be the .ovpn file and the fact that the ClearOS username and password is used for everything such as email and FTP. (I've mitigated this by creating a separate VPN user with no file access.) The extra difficulty in using OpenVPN makes it less secure for normal people even if it makes hacking the encryption impossible. Normal crooks can't hack encryption anyway, even PPTP encryption but they can read email. It's a shame that the replacement for PPTP is harder to use and therefore less secure. Progress.

Anyway, thanks for your help. I'm gonna build a Hackingtosh VM to test this.

Sorry but with OpenVPN, PPTP and IPsec VPN's we are repackaging third party products. If you have an issue with their security models your can take it to them. I somehow suspect M$ won't listen. IPsec can be secured with certificates and they can be made hard to get to (in nss.db) and all products can require user/pass authentication (I run an OpenVPN instance without). iOS and MAC's can secure their certificates. I believe they have to go into a keychain or something like that. Android is similar but I don't know how to do either. I have seen howto's.

Normal crooks like the CIA and Russia almost certainly will try to listen in on encrypted conversations. That is why they spend so much money setting up facilities to crack encryption.

OpenVPN, once set up is no harder to use than PPTP and you cou can argue that both are dangerous if the user chooses the option to remember passwords when they connect!

"OpenVPN, once set up is no harder to use than PPTP" that's a redundant statement since it's the setting up which is the hard part obviously.
I appreciate that ClearOS is not responsible for designing VPNs, it's Apple who decided to remove one. The high level crooks such as the CIA/MI6 have probably so many ways into our computers that if you come under their spotlight you're doomed anyway. I am more concerned with competitors and employees finding an easy route in because setting these things up was so difficult that people generate a lot of clues and stop working on it the moment it works.

I suspect that the reason we need to keep updating our computers is that the CIA planted backdoors get discovered by average bad guys so they close the old backdoors and roll out new ones for the spooks.