On Tue, 24 Mar 2020 07:13:27 +1000 Stuart Longland <stua...@longlandclan.id.au> wrote:
> On 23/3/20 10:26 pm, Marko Cupać wrote: > > Anything I can do to avoid future hangs? > > Whilst probably not the answer you're looking for: moving away from > PPTP would be a good start. > > The MSCHAPv2 authentication used in PPTP is vulnerable to dictionary > attacks and the RC4 cipher used in MPPE (the security layer of PPTP) > is laughably weak in today's security context. Whilst MSCHAPv2 can be > replaced with EAP-TLS, there's no fix for MPPE. > > IPSec (which is built into OpenBSD) or OpenVPN (in ports) would be > vastly superior options. Indeed, I am also waiting for the day when I'll be able to point iked to Microsoft's implementation of a RADIUS server (NPS), which will authenticate Active Directory domain-joined machines by their machine certificate and hopefully with additional domain user password for 2FA, authorise them by Active Directory group membership, and log their accounting in format which can be easily parsed and converted into human-readable statistics with currently available parsers. Uh, that sounded like I'm some kind of Microsoft fanboy, but I'm not. I just have to provide hundreds of Windows users a way to access resources on a corporate network in order to keep my bills paid. npppd's pptp helps me brilliantly (anyone remember poptop? that was hell :) Anyway, I use IPSec extensively to connect branch office routers, both in tunnel mode for passive clients with dynamic IPs, and in transport mode for protecting GRE tunnels (OSPF). Lately I'm adding multipath redundancy over multiple ISPs using rdomains. OpenVPN also has a place on my network. OpenBSD is a miracle :) Pardon my blatant self-promotion on link below, but I think it's a win-win situation - I get eternal fame and glory on the Internet, and list readers get copy/paste howto set up npppd pptp server with RADIUS authentication. Could come handy in this "end of days" situation where everyone works remotely :D https://www.mimar.rs/blog/how-to-set-up-pptp-vpn-server-with-openbsd-and-npppd Best regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
