Koozali.org: home of the SME Server

Koozali SME v10 PPTP deprecated

Offline ReetP

  • *
  • 3,722
  • +5/-0
Koozali SME v10 PPTP deprecated
« on: December 11, 2020, 08:50:55 PM »
FTY we have taken the decision to deprecate and remove PPTP from Koozali SME v10.

This follow decisions by Apple to remove it from Macs, and at some stage I am sure Microsoft will follow suit.

The reasons are plastered all over the internet and have been for a long time.

People like it because it is 'fast'. And that is the reason it is so insecure - it has extremely weak encryption.

It has more holes than a colander, and there are alternatives that are much better which you will be able to install on v10.

For roaming clients we suggest you look at either OpenVPN, or the weaker but somewhat simpler Ipsec/L2tpd.

OpenVPN is very good and very strong, but it needs a downloadable client and SSL certificates (which can be generated by PHPKi).

Ipsec/L2tpd support is built into most phones, and only requires passwords. The encryption is not as strong as OpenVPN, but better than PPTP. Its major drawback is with multiple connections form the same IP/gateway. It does work quite well.

I may look at Ipsec v2 for mobile clients, but the big issue here is that newer versions of Libreswan (the default ipsec implementation for RHEL/CentOS currently) that support it have too high a level of encryption for most mobiles.....  :shock:

I may also try and look at the new Wireguard protocol, but like OpenVPN it does not have a built in mobile client as yet.

In general development we still have a few more services to migrate to systemd at which point we'll look at rolling a Beta.

If you want to know more, or better still want to help, please contact us and come and chat on Rocket.Chat.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline elmarconi

  • ***
  • 139
  • +0/-0
Re: Koozali SME v10 PPTP deprecated
« Reply #1 on: March 19, 2021, 11:08:56 AM »
I may also try and look at the new Wireguard protocol, but like OpenVPN it does not have a built in mobile client as yet.

I see both Android as iOS client are available now? https://www.wireguard.com/install/

Been using it for quite some time now on a Debian Proxmox machine. Impressive/stable/fast.
...

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Koozali SME v10 PPTP deprecated
« Reply #2 on: March 19, 2021, 01:42:50 PM »
If I had the time....

At minute I can't even get to test my ipsec stuff.

Feel free to leap in and build something.

Best place to chat development is on my RocketChat box. Just ask me for an account.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Koozali SME v10 PPTP deprecated
« Reply #3 on: March 19, 2021, 01:59:55 PM »
Actually, documenting some working configs would be useful.

You can probably install wireguard on a v10 box.

You should be able to create a configuration as it seems to add/remove its own IP tables rules so you don't have to jigger about with that so much.

Tricky bit will probably be routing, as ever.

If it's a bridge/in the same network you need to make sure the vpn addresses don't clash with DHCP.

If it is like openvpn routed then it can use its own address range but needs some routing.

All 'doable'..... With some time.....
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline sages

  • *
  • 182
  • +0/-0
    • http://www.sages.com.au
Re: Koozali SME v10 PPTP deprecated
« Reply #4 on: March 19, 2021, 03:14:56 PM »
fwiw I run sme as a server only and currently use openwrt on a tp-link c7v5 box as a gateway/firewall. I'm running wireguard on the tp-link box as both a roadrunner terminating device and a fixed link to a vps server. recommend it as fast and light wait as far as processing usage. Only fiddily part is the allocation of IP addresses for the links. It's a manual process. Have a combo of win7/10 and android devices working with it.
...

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Koozali SME v10 PPTP deprecated
« Reply #5 on: March 19, 2021, 04:28:22 PM »
Yeah - don't think a basic setup would be massively difficult.

However.....

The tricks are:

1. sorting the IPs out
2. routing if necessary
3. templating that for Koozali SME <<<< with keys etc this non trivial
4. Building an rpm

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation