again my 2 cent(o)s: - strongswan to stay for S-2-S (supporting IKE2 explicitly now etc) - as it has been working great (with some recent, multiple-remote subnet issues resolved, with human-layer-8 problems will continue to exist - i.e. misconfiguration) - strongswan (L2TP/IpSec) remote VPN is pain and while universally supported natively in all OS-es today- it supports only 1 client behind a single public IP (a common issue when multiple users/humans sitting in the same office want to connect to the same VPC via Remote VPC) - no way to seed routes, either route everything through the tunnel (and have you internet dropped) or add routes manually (pain)
For remote VPN - I prefer to use what is a: - de-facto industry standard (whatever that is) - has great/long-term support on all client devices (desktops and mobiles) Take a look at all major firewall/VPN concentrator devices, and you will see what they offer (OpenVPN most of the time) I understand some might like fancy and brand-new-nothing-simpler--than this VPN solutions - but we should tryi to keep things within industry standards IMO and leave fancy and not-yet-long-term-tested solutions out of the consideration. OpenVPN, as Rohit explained, has support for exporting you with the configuration file, which you import and use your username/password - and this works on all mobile devices and up (desktop OS-es) - and from what I can see (because have multiple VPNs using myself for various different customers) - it's 99,99% OpenVPN which is used <---- this kind information should bring some "help" while deciding what to use (btw, I'm not selling OpenVPN, nor preaching for it, nor have I ever "liked it" for that matter, but it seems to be among the best-supported solutions in every sense) Cheers, On Fri, 11 Jun 2021 at 17:04, Pierre-Luc Dion <pdion...@apache.org> wrote: > btw, I like the idea of CloudStack offering OpenVPN as a solution ! > > On Fri, Jun 11, 2021 at 10:40 AM Pierre-Luc Dion <pdion...@apache.org> > wrote: > > > Just to be sure, what CloudStack > v4.15 uses Strongswan/l2tp or > > strongswan/ikev2 ? > > > > Because l2tp became complicated to configure on native vpn clients on > some > > OSes, kind of deprecated remote management VPN, compared to IKEv2. > > I'm a bit concerned about OpenVPN for the clients, what if binaries > become > > subscription based availability or become proprietary ? > > > > For sure we need the option to select what type of VPN solution to offer > > when deploying a cloud. > > > > From my perspective I cannot use/offer OpenVPN as a solution to my > > customers because it involves forcing them to download third party > software > > on their workstations and I don't want to be responsible for > > a security breach on their workstation because of a requirement for 3rd > > party software that we don't control. > > > > > > > > On Fri, Jun 11, 2021 at 10:14 AM Rohit Yadav <rohit.ya...@shapeblue.com> > > wrote: > > > >> Thanks all for the feedback so far, looks like the majority of people on > >> the thread would prefer OpenVPN but for s2s they may continue to prefer > >> strongswan/ipsec for site-to-site VPC feature. If we're unable to reach > >> consensus then a general-purpose provider-framework may be more > flexible to > >> the end-user or admin (to select which VPN provider they want for their > >> network, we heard in this thread - openvpn, strongswan/l2tp, wireguard, > and > >> maybe other providers in future). > >> > >> Btw, ikev2 is supported now with strongswan with this - > >> https://github.com/apache/cloudstack/pull/4953 > >> > >> My personal opinion: As user of most of these VPN providers, I > personally > >> like OpenVPN which I found to be easier to use both on desktop/laptop > and > >> on phone. With openvpn as the default I imagine in CloudStack I could > >> enable VPN for a network and CloudStack gives me an option to download a > >> .ovpn file which I can import in my openvpn client (desktop, phone, > cli...) > >> click connect to connect to the VPN. For certificate generation/storage, > >> the CA framework could be used so the openvpn server certs are the same > >> across network restarts (with cleanup). I think a process like this > could > >> be simpler than what we've right now, and the ovpn download+import > workflow > >> would be easier than what we'll get from either strongswan/current or > >> wireguard. While I like the simplicity of wireguard, which is more like > SSH > >> setup I wouldn't mind doing setup on individual VMs (much like setting > up > >> ssh key) or use something like TailScale. > >> > >> > >> Regards. > >> > >> ________________________________ > >> From: Gabriel Bräscher <gabrasc...@gmail.com> > >> Sent: Friday, June 11, 2021 19:28 > >> To: dev <dev@cloudstack.apache.org> > >> Cc: users <us...@cloudstack.apache.org> > >> Subject: Re: [DISCUSS] Moving to OpenVPN as the remote access VPN > provider > >> > >> I understand that OpenVPN is a great option and far adopted. > >> I am ++1 in allowing Users/Admins to choose which VPN provider suits > them > >> best; creating an offering (or global settings) that would allow setting > >> which VPN provider will be used would be awesome. > >> > >> I understand that OpenVPN is a great option and far adopted; however, I > >> would be -1 if this would impact on removing support for Strongswan -- > >> which from what I understood is not the proposal, but saying anyway to > be > >> sure. > >> > >> Thanks for raising this proposal/discussion, Rohit. > >> > >> Cheers, > >> Gabriel. > >> > >> > >> Em sex., 11 de jun. de 2021 às 08:46, Pierre-Luc Dion < > >> pdion...@apache.org> > >> escreveu: > >> > >> > Hello, > >> > > >> > Daan, I agree we should provide capability to select the vpn solution > to > >> > use, the question would be, should it be a global setting generic for > >> the > >> > whole region or per VPC? > >> > I think it should be a global setting to reduce the requirement > >> complexity > >> > of a region, but per VPC or customer(account or domain) would be > ideal. > >> > > >> > Hean, the current implementation from PR:2850 > >> > <https://github.com/apache/cloudstack/pull/2850> that use strongswan > >> does > >> > support multiple users behind the same public IPs, but I don't recall > >> for > >> > Windows generic clients. > >> > With OpenVPN, can you be connected to multiple VPN tunnels at the same > >> time > >> > ? We had the challenge a few times where we needed to be connected to > 2 > >> > VPCs at the same time. > >> > > >> > I think adding support to OpenVPN is a good idea, the more options > >> > available the better Cloudstack will be. > >> > > >> > I don't know if 4.15 still uses L2TP from strongswan but we've moved > >> away > >> > from it a while ago because it was not reliable, connection kept > >> > dropping, support only one windows client at a time, issue configuring > >> > clients, no helpful connection logs.. > >> > > >> > An interesting improvement is made to remote access VPN, would be to > >> > optionally use dns resolution of the VR from VPN clients so a user > >> > connected to the VPN could use hostname to access VMs. I think iptable > >> > currently blocks dns query from the vpn. > >> > > >> > Cheers, > >> > > >> > >> > >> > >> > On Fri, Jun 11, 2021 at 5:58 AM Hean Seng <heans...@gmail.com> wrote: > >> > > >> > > If thinking of only Site-to-Site VPN , then OpenVPN and WireGuard is > >> no > >> > > much different , or even current one is gpod. Only only time setup > at > >> > > router. However if considering of Mobile Client, OpenVPN is more > >> > > complicated. > >> > > > >> > > The only concern now is multiple people in the same public IP need > to > >> > > access the VPN. And this consideration will be OpenVPN or Wireguard > >> to > >> > > handle this requirement. And for this purpose of multiple people > in > >> > same > >> > > public ip need to access to VPN, then we will have think of > >> usability > >> > and > >> > > easy installation of VPN client. > >> > > > >> > > We are using OpenVPN for more then 5 years, but always there is new > >> PC > >> > > need to configure VPN Client, windows , android, ios, it is painful > ( > >> we > >> > > are not using access server) . > >> > > > >> > > Currently we test on WireGuard, just forgot about performance or > >> > > whatsoever, just the conveniences of implementation, that is very > >> great > >> > > and easy for client installation , even mobile client on phone or > >> > tablet. > >> > > > >> > > > >> > > > >> > > > >> > > On Fri, Jun 11, 2021 at 5:04 PM Daan Hoogland < > >> daan.hoogl...@gmail.com> > >> > > wrote: > >> > > > >> > > > This is a potential religious debate, I think it makes the most > >> sense > >> > to > >> > > > try and make the provider optional and let the operator or even > the > >> > > > end-user decide. I see how this is an extra challenge, but does it > >> make > >> > > > sense? > >> > > > > >> > > > On Thu, Jun 10, 2021 at 10:24 AM Rohit Yadav < > >> > rohit.ya...@shapeblue.com> > >> > > > wrote: > >> > > > > >> > > > > All, > >> > > > > > >> > > > > We've historically supported openswan and nowadays strongswan as > >> the > >> > > VPN > >> > > > > provider in VR for both site-to-site and remote access modes. > >> After > >> > > > > discussing the situation with a few users and colleagues I > learnt > >> > that > >> > > > > OpenVPN is generally far easier to use, have clients for most OS > >> and > >> > > > > platforms (desktop, laptop, tablet, phones...) and allows > >> multiple > >> > > > clients > >> > > > > in the same public IP (for example, multiple people in the > office > >> > > > sharing a > >> > > > > client-side public IP/nat while trying to connect to a VPC or an > >> > > isolated > >> > > > > network) and for these reasons many users actually deploy > pfSense > >> or > >> > > > setup > >> > > > > a OpenVPN server in their isolated network or VPC and use that > >> > instead. > >> > > > > > >> > > > > Therefore for the point-to-point VPN use-case of remote access > [1] > >> > does > >> > > > it > >> > > > > make sense to switch to OpenVPN? Or, are there users using > >> > > > > strongswan/ipsec/l2tpd for remote access VPN? > >> > > > > > >> > > > > A general-purpose VPN-framework/provider where an account or > admin > >> > (via > >> > > > > offering) can specify which VPN provider they want in the > network > >> > > > > (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be > more > >> > > > complex > >> > > > > to implement and maintain. Any other thoughts in general about > VPN > >> > > > > implementation and support in CloudStack? Thanks. > >> > > > > > >> > > > > [1] > >> > > > > > >> > > > > >> > > > >> > > >> > http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn > >> > > > > > >> > > > > > >> > > > > > >> > > > > Regards. > >> > > > > > >> > > > > > >> > > > > > >> > > > > > >> > > > > >> > > > -- > >> > > > Daan > >> > > > > >> > > > >> > > > >> > > -- > >> > > Regards, > >> > > Hean Seng > >> > > > >> > > >> > > > -- Andrija Panić
