openvpn-als-devel — OpenVPN ALS developer mailinglist

[Openvpn-als-devel] OpenVPN management via FusionDirectory?

[Mark P. <pa...@in...>]

   Has anyone thought of only using the OpenVPN browser plugin from the 
old project, and doing everything else in other way?

   Fusiondirectory comes to mind for me - part of its job is to manage 
LDAP users, and OpenVPN can auth against LDAP.   FusionDirectory is 
software that manages all kinds of services via LDAP and RPC through 
optional plugins...  a quite impressive list actually ie. Samba, email + 
groupware (SOGo, Kolab etc...), addressbooks, DNS, DHCP, ssh, Asterisk, 
Windows and Linux OS and software deployment via PXE, FAI and OPSI (very 
cool!) and plenty more.  User management for OpenVPN would be simple 
enough without even requiring a plugin ie. have an LDAP group called 
"openvpn" and only auth users that belong to this group.  Anything more 
would require writing a FusionDirectory plugin, but this is well 
documented, and the developers are helpful and can be found on IRC 
(#fusiondirectory on FreeNode).

-- 
Mark Pavlichuk
Strategic IT
ph. (07)47242890
m. 0409 124577

Re: [Openvpn-als-devel] FW: Project status

[Arne M. J. <am...@pr...>]

It doesn't. Openvpn is a poor replacement for that usecase. Afaik there is
no good free SSL (meaning via https not just a client that uses port443) VPN
alternative. I'd recommend looking into junipers ssl solution. Microsoft
offers UAG. Barracuda is based on adito(open-vpn als). In fact barracuda
bought the guys that original started the project. 

-----Original Message-----
From: CARTWRIGHT, CORY C [mailto:cc...@at...] 
Sent: 7. juni 2013 15:23
To: sam...@gm...; ope...@li...
Subject: Re: [Openvpn-als-devel] FW: Project status

Ok, thank you

I have used open-vpn for site to site, but have not seen the same
functionality mainly web based SSL/TLS with downloadable client.  Did I miss
something?

-----Original Message-----
From: sam...@gm... [mailto:sam...@gm...]
Sent: Friday, June 07, 2013 9:19 AM
To: ope...@li...
Cc: CARTWRIGHT, CORY C
Subject: Re: [Openvpn-als-devel] FW: Project status

Short answer: yes, the project is dead. I suggest taking a look at OpenVPN:

<http://openvpn.net>

That's the "de facto" open source VPN and actively maintained and developed.

Samuli

>  
> 
> Hello,
> 
>  
> 
> Is this project completely dead?  I have seen some posts as recent as 
> 2012, any chance of starting this up or is there another similar project?
> 
>  
> 
>  
> 
> Thanks,
> 
>  
> 
> 
> 
> ----------------------------------------------------------------------
> -------- How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations 2. 
> Dashboards that offer high-level views of enterprise services 3. A 
> single system of record for all IT processes 
> http://p.sf.net/sfu/servicenow-d2d-j
> 
> 
> 
> _______________________________________________
> Openvpn-als-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openvpn-als-devel
> 

----------------------------------------------------------------------------
--
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations 2.
Dashboards that offer high-level views of enterprise services 3. A single
system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Openvpn-als-devel mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openvpn-als-devel

Re: [Openvpn-als-devel] FW: Project status

[<sam...@gm...>]

OpenVPN is not a web-based SSL VPN. I'm also not aware of any new (open
source) web-based SSL VPNs. There should be plenty of commercial,
integrated hardware/software offerings available, but those have their
downsides[1].

Samuli

[1] E.g. what do you do if the one hardware you have crashes and you
can't reinstall/replace it quickly?

> Ok, thank you
> 
> I have used open-vpn for site to site, but have not seen the same functionality mainly web based SSL/TLS with downloadable client.  Did I miss something?
> 
> -----Original Message-----
> From: sam...@gm... [mailto:sam...@gm...] 
> Sent: Friday, June 07, 2013 9:19 AM
> To: ope...@li...
> Cc: CARTWRIGHT, CORY C
> Subject: Re: [Openvpn-als-devel] FW: Project status
> 
> Short answer: yes, the project is dead. I suggest taking a look at OpenVPN:
> 
> <http://openvpn.net>
> 
> That's the "de facto" open source VPN and actively maintained and developed.
> 
> Samuli
> 
>>  
>>
>> Hello,
>>
>>  
>>
>> Is this project completely dead?  I have seen some posts as recent as
>> 2012, any chance of starting this up or is there another similar project?
>>
>>  
>>
>>  
>>
>> Thanks,
>>
>>  
>>
>>
>>
>> ------------------------------------------------------------------------------
>> How ServiceNow helps IT people transform IT departments:
>> 1. A cloud service to automate IT design, transition and operations
>> 2. Dashboards that offer high-level views of enterprise services
>> 3. A single system of record for all IT processes
>> http://p.sf.net/sfu/servicenow-d2d-j
>>
>>
>>
>> _______________________________________________
>> Openvpn-als-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/openvpn-als-devel
>>

Re: [Openvpn-als-devel] FW: Project status

[CARTWRIGHT, C. C <cc...@at...>]

Ok, thank you

I have used open-vpn for site to site, but have not seen the same functionality mainly web based SSL/TLS with downloadable client.  Did I miss something?

-----Original Message-----
From: sam...@gm... [mailto:sam...@gm...] 
Sent: Friday, June 07, 2013 9:19 AM
To: ope...@li...
Cc: CARTWRIGHT, CORY C
Subject: Re: [Openvpn-als-devel] FW: Project status

Short answer: yes, the project is dead. I suggest taking a look at OpenVPN:

<http://openvpn.net>

That's the "de facto" open source VPN and actively maintained and developed.

Samuli

>  
> 
> Hello,
> 
>  
> 
> Is this project completely dead?  I have seen some posts as recent as
> 2012, any chance of starting this up or is there another similar project?
> 
>  
> 
>  
> 
> Thanks,
> 
>  
> 
> 
> 
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
> 
> 
> 
> _______________________________________________
> Openvpn-als-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openvpn-als-devel
> 

Re: [Openvpn-als-devel] FW: Project status

[<sam...@gm...>]

Short answer: yes, the project is dead. I suggest taking a look at OpenVPN:

<http://openvpn.net>

That's the "de facto" open source VPN and actively maintained and developed.

Samuli

>  
> 
> Hello,
> 
>  
> 
> Is this project completely dead?  I have seen some posts as recent as
> 2012, any chance of starting this up or is there another similar project?
> 
>  
> 
>  
> 
> Thanks,
> 
>  
> 
> 
> 
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
> 
> 
> 
> _______________________________________________
> Openvpn-als-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openvpn-als-devel
> 

[Openvpn-als-devel] FW: Project status

[CARTWRIGHT, C. C <cc...@at...>]

Hello,

Is this project completely dead?  I have seen some posts as recent as 2012, any chance of starting this up or is there another similar project?


Thanks,

[Openvpn-als-devel] Extension Request: Native RDP Java Class

[Alan E. <ala...@gm...>]

Ok I started to write this b/c I figure if you have an idea of a project who
better to write it than you.  I got about an hour and only 20 lines in and
decided that perhaps I am *not* the best person to write it.  (As in I am
not a Java developer...)

What about an extension that tries to fire off a native RDP client?

Make a class that runs on the client, pulls the system property "os.name"
and then builds a command to execute for the system in question.

It would take some arguments from the openvpn-als server and then translate
those as appropriate.  For example on Windows it might create an RDP file
and pass that to mstsc.  On Linux it might just call rdesktop with the right
switches.  If its unable to find a suitable native client then it might go
ahead and fire up the Java Client.

Regards,
-Alan

Re: [Openvpn-als-devel] ALS support - Java

[<sam...@gm...>]

> Greetings...I'm a Java developer and would be interested in helping out. I'd
> need to get trained up somewhat on how to build the system. A co-worker of mine
> uses Adito/OpenVPN-ALS and can help me get things working. As CTO of my company,
> I can offer some part-time expertise (Java, J2EE, etc). It would be good to
> re-vamp the architecture, but first we'd need to get really familiar with it -
> so help would be needed. Let's talk - what's the best way to move forward? I'll
> cross post to other list as well.  Some of the suggested so far sound good.

Hi,

There are a few outstanding issues with Adito/ALS project, which were
discussed in this thread:

<http://sourceforge.net/mailarchive/message.php?msg_name=4BBC4A1B.701%40gmail.com>

In a nutshell Adito/ALS development has stalled and fixing the situation
is exceedingly difficult. A number of companies and individuals have
contributed to the project, but what project needs to survive is core
developers who really know Adito/ALS inside out. Unfortunately there has
only been one (corporate-sponsored) core developer and he stopped
working on the project in May 2009.

Please read the mailing list thread (above) for a much more detailed
analysis of the situation.

Samuli (project manager)

[Openvpn-als-devel] ALS support - Java

[Behrens <for...@r2...>]

Greetings...I'm a Java developer and would be interested in helping out. I'd
need to get trained up somewhat on how to build the system. A co-worker of mine
uses Adito/OpenVPN-ALS and can help me get things working. As CTO of my company,
I can offer some part-time expertise (Java, J2EE, etc). It would be good to
re-vamp the architecture, but first we'd need to get really familiar with it -
so help would be needed. Let's talk - what's the best way to move forward? I'll
cross post to other list as well.  Some of the suggested so far sound good.

Re: [Openvpn-als-devel] [Openvpn-als-user] Future of Adito/OpenVPN ALS

[Dave W. <da...@na...>]

> 
> Thanks for your comments, guys! Running the Adito/ALS project has been
> fun and _very_ educational.
> 
> Now we'd need somebody to start work on a similar project done with an
> eye for the community-driven development model. Probably the only part
> of Adito/ALS that could be reused is the Agent - either client part
> (incl. the applet) or both client and server parts. The second option
> would provide SSL-tunneling and would be simple enough to maintain as an
> OSS project. Also, it would not be tied to the obsolete Struts Classic
> framework as it operates outside the scope of the webapp. However, even
> separating the Agent would be a lot of work due to tight integration of
> all components in ALS.
> 
> Samuli
>

  I would like to add my thanks to you for all that has been done so far.

  As for your points about the agent, et al, I was put in mind of the Java 
Tunnel Service (https://javatunnelservice.dev.java.net/), which seems to be a 
reasonable starting point for an agent replacement. 

  Comments?

     Cheers,

           Dave

[Openvpn-als-devel] UNSUBSCRIBE

[praveen s. <pra...@ya...>]

Please unsubscribe me from this list.
regards,
Praveen



----- Original Message ----
From: "sam...@gm..." <sam...@gm...>
To: ope...@li...
Sent: Thu, 15 April, 2010 11:01:29 PM
Subject: Re: [Openvpn-als-devel] [openvpn-als - Open Discussion] Future of Adito/OpenVPN ALS

>> If SSH access is available then I think Nautilus + gvfs-fuse works great.
> sshfs is fuse based as well I think. On my daughters little netbook I made a 
> simple solution by placing a sshfs connect script in the folder which is the 
> mountpoint. So when she enters the folder and the ssh file system is not 
> mounted, well the script is right there to be launched ;-)
> 
> But in many cases a Linux desktop user dont need mounting the filesystem at 
> all. At least KDE Dolphin can handle files directly over ssh by typing 
> fish://user@server in the path (I think Nautilus can do equal by typing 
> ssh:... in the path line). 

Yep, Nautilus can access directories via SSH using
ssh://user@server:/path syntax. Alternatively you can create a shortcut
using "Connect to share + Add bookmark". The newer Gnome VFS versions
support fuse, meaning that all mounted remote drives are available under
$HOME/.gvfs/sftp on servername/ or similar.

Samuli

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Openvpn-als-devel mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openvpn-als-devel

Re: [Openvpn-als-devel] [openvpn-als - Open Discussion] Future of Adito/OpenVPN ALS

[<sam...@gm...>]

>> If SSH access is available then I think Nautilus + gvfs-fuse works great.
> sshfs is fuse based as well I think. On my daughters little netbook I made a 
> simple solution by placing a sshfs connect script in the folder which is the 
> mountpoint. So when she enters the folder and the ssh file system is not 
> mounted, well the script is right there to be launched ;-)
> 
> But in many cases a Linux desktop user dont need mounting the filesystem at 
> all. At least KDE Dolphin can handle files directly over ssh by typing 
> fish://user@server in the path (I think Nautilus can do equal by typing 
> ssh:... in the path line). 

Yep, Nautilus can access directories via SSH using
ssh://user@server:/path syntax. Alternatively you can create a shortcut
using "Connect to share + Add bookmark". The newer Gnome VFS versions
support fuse, meaning that all mounted remote drives are available under
$HOME/.gvfs/sftp on servername/ or similar.

Samuli

Re: [Openvpn-als-devel] [openvpn-als - Open Discussion] Future of Adito/OpenVPN ALS

[Klaus V. S. <kl...@vi...>]

On 14 april 2010 09:33:09 sam...@gm... wrote:
> > Proxy access to other websites is currently provided by
> > http://sourceforge.net/projects/poxy/ on our web server.
> 
> Interesting project, have not seen that one.
It seem that the project is abandoned tough - but hey if it works: dont fix 
it. Anyway I think there is many alternatives for simple proxy solutions out 
there. Might even be possible to combine it with SUMO Access Manager.

> > For Linux users to access network drives I've successfully tested drive
> > mapping over ssh (sshfs) on Linux. But in many cases Dolphin, Nautilus or
> > just plain shell are sufficient.[cut]
> If SSH access is available then I think Nautilus + gvfs-fuse works great.
sshfs is fuse based as well I think. On my daughters little netbook I made a 
simple solution by placing a sshfs connect script in the folder which is the 
mountpoint. So when she enters the folder and the ssh file system is not 
mounted, well the script is right there to be launched ;-)

But in many cases a Linux desktop user dont need mounting the filesystem at 
all. At least KDE Dolphin can handle files directly over ssh by typing 
fish://user@server in the path (I think Nautilus can do equal by typing 
ssh:... in the path line). 

> > Still sometimes we have users ending up behind firewalls which do not
> > allow ssh, imaps or smtps. Here some kind of tunneling would be nice.
> > Something like
> > http://ace-host.stuart.id.au/russell/files/http-proxy-tunnel/
> > might be able to solve the problem. But it seems not easy to configure on
> > the client machine.
> 
> Looks a little "hackish" :).
Just what I thought. 

-- 
Regards
Klaus

Re: [Openvpn-als-devel] [openvpn-als - Open Discussion] Future of Adito/OpenVPN ALS

[<sam...@gm...>]

This mail came from an old Adito/ALS user, Silvan M. Gebhardt, but was
rejected by SF.net. So here it comes:

---

If I may also contribute

I have just found the solution to replace the remaining functionality of
adito for me: The Kind-of-single-signon for the user.

I have just found http://sumoam.sourceforge.net/


I might be able to plug some of my existing apps onto that - then
everything works on a login. perhabs we can add some more functionality
like SMS token



personally, I'm starting to think about bilding some kind of appliance
on top of apache, consisting of openVPN, Apache Proxy, and this thingie
here, and some more stuff  ;)



I run OpenVPN and an Apache ReverseProxy simultaneous on one Port btw.
The Portsharing Feature is one thing that we should point out. I have
used sslexplorer once when I only had port 80+443 available and I was
not able to have more than one IP Address. Portsharing of OpenVPN is
Really, Really incredible  ;)
I'm thinking about suggesting the openvpn people the following


currently the openvpn daemon proxies (layer4) to the HTTPS server
running e.g on localhost. so it looks at the traffic if it looks like
openvpn or HTTPS. do you folks think if there is a way to also detect
SSH? So three services could share that port?



lg
Silvan

Re: [Openvpn-als-devel] [Openvpn-als-user] Future of Adito/OpenVPN ALS

[Eric M. <em...@fr...>]

Le 14/04/2010 09:12,
sam...@gm... a écrit :

Hello Samuli,

> Thanks for your comments, guys! Running the Adito/ALS project has been
> fun and _very_ educational.

Nice to hear.

> Now we'd need somebody to start work on a similar project done with an
> eye for the community-driven development model. Probably the only part
> of Adito/ALS that could be reused is the Agent - either client part
> (incl. the applet) or both client and server parts. The second option
> would provide SSL-tunneling and would be simple enough to maintain as an
> OSS project. Also, it would not be tied to the obsolete Struts Classic
> framework as it operates outside the scope of the webapp. However, even
> separating the Agent would be a lot of work due to tight integration of
> all components in ALS.

The agent model is a great idea.

The key feature is that Adito/SSLExplorer is clientless, and it had
saved me in the past (locked down machine in an internet café for example).

Kind regards and thanks for your work on Adito.

Eric Masson

Re: [Openvpn-als-devel] [openvpn-als - Open Discussion] Future of Adito/OpenVPN ALS

[<sam...@gm...>]

> (sorry for this post is not in tread as I just subscribed to this list)
> Date: 2010-04-09 12:15:34 GMT  Samuli wrote:
> 
>> Interesting post, kontro! So we have several alternatives. If the
>> project goes down the drain (as it seems to), I think as a last effort
>> we should document the alternatives which current Adito/ALS users have.
> 
> On my previous work at the university of Copenhagen we were using SSL-
> Explorer. I guess we had some 20 - 40 users logging in on a daily basis, using 
> different features in SSL-explorer.  The use base was growing until 3sp pulled 
> the plug and we stopped promoting SSL-explorer.
> 
> I''ll state where SSL-explorer made a difference for us (most point has been 
> mentioned by other posts):

---

> Proxy access to other websites is currently provided by  
> http://sourceforge.net/projects/poxy/ on our web server.

Interesting project, have not seen that one.

> For Linux users to access network drives I've successfully tested drive 
> mapping over ssh (sshfs) on Linux. But in many cases Dolphin, Nautilus or just 
> plain shell are sufficient. Many of our Linux users is powerusers anyway and 
> is not scared from using the shell

If SSH access is available then I think Nautilus + gvfs-fuse works great.

> I'm unsure about MAC users.
> 
> On the remote desktop side we have not decided yet. NX machine look promising, 
> as it runs over ssh. But it has some issues with key mapping is f*****-up on 
> non us keyboards.

I've used NX successfully over the last few years. It does indeed have
some keymap/language setting issues. Perhaps most annoyingly running a
local Gnome session and _then_ connecting via NX causes problems as
Gnome acts weird if more than one session is running for a user.

> Luckily over time more and more services is moved to being web based, which 
> solves many of the above problems.
> 
> Still sometimes we have users ending up behind firewalls which do not allow 
> ssh, imaps or smtps. Here some kind of tunneling would be nice. Something like 
> http://ace-host.stuart.id.au/russell/files/http-proxy-tunnel/ 
> might be able to solve the problem. But it seems not easy to configure on the 
> client machine.

Looks a little "hackish" :).

> Sorry this became a little long - I guess i just used this to summarized my 
> own thoughts on the subject.

Well, my initial post was even longer ;).

Re: [Openvpn-als-devel] [Openvpn-als-user] Future of Adito/OpenVPN ALS

[<sam...@gm...>]

> On 04/12/10 10:41, Andrew Schulman wrote:
>> Thanks very much for this discussion, Samuli.
>>
>>    
>>> I discussed the relative merits of application-layer and data link /
>>> network-layer SSL VPN's with James (CEO of OpenVPN) a while back. We
>>> concluded that the main advantage of an application-layer SSL VPN (such
>>> as ALS) is that it does not require a separate client installation
>>> (besides a web browser).
>>>      
>> This is indeed, for our site, a key advantage.  I and several of my users work
>> on locked-down systems at work, where we don't have privileges to install
>> software, nevermind to install and configure (virtual) network interfaces.  But
>> we are able to browse HTTPS sites and run Java applets within our browsers, and
>> this allows us to get complete connectivity through ALS.  For us, that's where
>> the value is.
>>
>> Andrew.
>>
>>
>>    
> Hi,
> 
> First, thank you Samuli, for all that work you have done to manage 
> Adito/ALS and keep it as a free project.
> 
> Same for us : The value in Adito/ALS stays in its "client free" 
> solution. The signed pre-configured java applet is the main reason why 
> int the past we chose sslExplorer and migrated to Adito/ALS.
> 
> Jacques Landru

Thanks for your comments, guys! Running the Adito/ALS project has been
fun and _very_ educational.

Now we'd need somebody to start work on a similar project done with an
eye for the community-driven development model. Probably the only part
of Adito/ALS that could be reused is the Agent - either client part
(incl. the applet) or both client and server parts. The second option
would provide SSL-tunneling and would be simple enough to maintain as an
OSS project. Also, it would not be tied to the obsolete Struts Classic
framework as it operates outside the scope of the webapp. However, even
separating the Agent would be a lot of work due to tight integration of
all components in ALS.

Samuli

Re: [Openvpn-als-devel] [openvpn-als - Open Discussion] Future of Adito/OpenVPN ALS

[Klaus V. S. <kl...@vi...>]

(sorry for this post is not in tread as I just subscribed to this list)
Date: 2010-04-09 12:15:34 GMT  Samuli wrote:

> Interesting post, kontro! So we have several alternatives. If the
> project goes down the drain (as it seems to), I think as a last effort
> we should document the alternatives which current Adito/ALS users have.

On my previous work at the university of Copenhagen we were using SSL-
Explorer. I guess we had some 20 - 40 users logging in on a daily basis, using 
different features in SSL-explorer.  The use base was growing until 3sp pulled 
the plug and we stopped promoting SSL-explorer.

I''ll state where SSL-explorer made a difference for us (most point has been 
mentioned by other posts):

* The ability to work on locked down machines using the java client
* The ability to establish contact behind restrictive firewalls
* Ease of use (for end-users - mostly doctors and professors) 

The user just launched the application from the web interface:
* Windows-remote desktop
* VNC-remote desktop
* web-proxy for accessing on-line libraries (IP based access)
* drive mapping for windows users.
* Ad-hoc solutions like when a user was on a network not allowing imaps we 
could instruct over the phone how to configure a tunnel.


I have now moved to another department at the University. Here we use a Cisco-
vnp tingie (not sure - I have never used it, as ssh is sufficient for my 
personal use) but I do think it looks troublesome to configure. We only 
promote vpn to windows users who really really needs access to network drives 
on the road.

The MUA is setup to use login over smtps/imaps so they work most places 
(webmail used as fallback on restrictive networks)


If we look into the future:

The Microsoft guys told me that the new MS servers supports some kind of drive 
mapping over SSL which solves the drive mapping issue for Windows users. They 
also mentioned that new versions of outlook/exchange has some means of road-
warrior connectivity. So I guess when they get that monster airborne it will 
solve most of the windows users problems.

Proxy access to other websites is currently provided by  
http://sourceforge.net/projects/poxy/ on our web server.

For Linux users to access network drives I've successfully tested drive 
mapping over ssh (sshfs) on Linux. But in many cases Dolphin, Nautilus or just 
plain shell are sufficient. Many of our Linux users is powerusers anyway and 
is not scared from using the shell

I'm unsure about MAC users.

On the remote desktop side we have not decided yet. NX machine look promising, 
as it runs over ssh. But it has some issues with key mapping is f*****-up on 
non us keyboards.

Luckily over time more and more services is moved to being web based, which 
solves many of the above problems.

Still sometimes we have users ending up behind firewalls which do not allow 
ssh, imaps or smtps. Here some kind of tunneling would be nice. Something like 
http://ace-host.stuart.id.au/russell/files/http-proxy-tunnel/ 
might be able to solve the problem. But it seems not easy to configure on the 
client machine.

Sorry this became a little long - I guess i just used this to summarized my 
own thoughts on the subject.

-- 
Regards
Klaus

Re: [Openvpn-als-devel] [Openvpn-als-user] Future of Adito/OpenVPN ALS

[Jacques L. <la...@te...>]

On 04/12/10 10:41, Andrew Schulman wrote:
> Thanks very much for this discussion, Samuli.
>
>    
>> I discussed the relative merits of application-layer and data link /
>> network-layer SSL VPN's with James (CEO of OpenVPN) a while back. We
>> concluded that the main advantage of an application-layer SSL VPN (such
>> as ALS) is that it does not require a separate client installation
>> (besides a web browser).
>>      
> This is indeed, for our site, a key advantage.  I and several of my users work
> on locked-down systems at work, where we don't have privileges to install
> software, nevermind to install and configure (virtual) network interfaces.  But
> we are able to browse HTTPS sites and run Java applets within our browsers, and
> this allows us to get complete connectivity through ALS.  For us, that's where
> the value is.
>
> Andrew.
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Openvpn-als-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openvpn-als-devel
>    
Hi,

First, thank you Samuli, for all that work you have done to manage 
Adito/ALS and keep it as a free project.

Same for us : The value in Adito/ALS stays in its "client free" 
solution. The signed pre-configured java applet is the main reason why 
int the past we chose sslExplorer and migrated to Adito/ALS.

Jacques Landru

Re: [Openvpn-als-devel] [Openvpn-als-user] Future of Adito/OpenVPN ALS

[Andrew S. <sou...@sn...>]

Thanks very much for this discussion, Samuli.

> I discussed the relative merits of application-layer and data link /
> network-layer SSL VPN's with James (CEO of OpenVPN) a while back. We
> concluded that the main advantage of an application-layer SSL VPN (such
> as ALS) is that it does not require a separate client installation
> (besides a web browser).

This is indeed, for our site, a key advantage.  I and several of my users work
on locked-down systems at work, where we don't have privileges to install
software, nevermind to install and configure (virtual) network interfaces.  But
we are able to browse HTTPS sites and run Java applets within our browsers, and
this allows us to get complete connectivity through ALS.  For us, that's where
the value is.

Andrew.

Re: [Openvpn-als-devel] [Openvpn-als-user] Future of Adito/OpenVPN ALS

[<sam...@gm...>]

Hi Russell,

Simple SSL tunnels using the Agent are really useful and much more
user-friendly than use of SSH + port forwarding. In fact, I read and
documented (see javadocs in "nonembedded") the client part of the Agent
pretty thoroughly a few months ago. It was pretty nice code with
separate threads for heartbeat and similar. From what I learned it
should be possible to write a replacement for the server component.
There did not seem to be anything Java-specific (e.g. RMI, object
streaming) in the client-side Agent implementation, so  the server part
could be written in any language. That said it might be just as easy to
start from scratch, perhaps borrowing some ideas from the Agent.

So there are several alternatives and lots of building blocks that could
be used in a community-driven ALS replacement. If the amount of code is
kept to the minimum by reusing existing components, the replacement
might even be sustainable as a community-driven project. Something that
would combine network-layer connetivity (e.g. OpenVPN), a reverse proxy
and application-level tunneling would be pretty neat indeed.

Samuli

> Hi,
> 
>  
> 
> I agree with many of the comments posted so far, and in particular the
> note from Sammuli about the barrier to entry with the current SW - I
> tried to help fix some bugs, but it really is hard to find a way through
> the current code ... :-(. I forsee this going downhill unfortunately,
> but I do see a few advantages to OpenVPN-ALS also ...
> 
>  
> 
> - configuration: for basic usage, setting up port forwarding for a few
> ports is easier than the network configuration that has to be done with
> OpenVPN
> 
> - distro compatibility: I am running SuSE (for HW compatibiltiy reasons,
> no other distro would install on my old HW) ... but OpenVPN Access
> Server is not available on this platform (however OpenVPN-ALS runs on
> basically any platform).
> 
> - VPN-over-VPN: I am unable to get OpenVPN working over top of a (Cisco)
> VPN link, but OpenVPN-ALS works just fine (because it provides local
> port access).
> 
>  
> 
> So it is too bad to see OpenVPN-ALS go this way - it definitely has some
> advantages (for me, and I'm sure other users).
> 
>  
> 
> Thanks!
> 
>  
> 
>  
> 
> 
> 
> On Thu, Apr 8, 2010 07:11 AM, ko...@us... wrote:
> 
>     On Thu, Apr 08, 2010 at 12:23:03PM +0200, Arne Morten Johansen wrote:
>     > That being said, I think it's sad that the project is fading away.
>     > Commercial alternatives are so expensive. Like $100-200 per user.
>     Sadly our
>     > economic situation is not so good that we can afford to support this
>     > project, then it would just be cheaper to go commercial. I think a
>     project
>     > of this magnitude needs at least $150 000 to get started again and
>     attract
>     > new developers.
> 
>     Good mail from Samuli. I were interrested about contributing adito some
>     time ago. But when I dig deeper into source I did find same problems.
> 
>     Most discouraging experience were when I was studying Erlang programming
>     language same time with Adito and found out how easily same problems
>     could be solved with Erlang.
> 
>     Actually I think that Nortel built their own similar solution top of
>     Erlang
>     OS web server called YAWS (http://yaws.hyber.org/contribs.yaws
>     <http://server:8080/redir.hsp?url=%68%74%74%70%3A%2F%2F%79%61%77%73%2E%68%79%62%65%72%2E%6F%72%67%2F%63%6F%6E%74%72%69%62%73%2E%79%61%77%73>).
> 
>     YAWS has ssl support, integrated json support and
>     Linux-PAM authentication - so it supports any authentication Linux
>     supports.
> 
>     I did check out YAWS source code and found out that turning it to
>     Adito replacement would be quite simple (at least when comparing to JEE
>     solution). Actually there is already yaws_revproxy.erl module in
>     YAWS git tree. As usual nice gui would be the biggest job. Agent of
>     course
>     needs to stay JAVA.
> 
>     So I am happy about Samuli's new job and agree with his opinnions, but
>     maybe questioning Arne's view about 'project magnitude' :)
> 
>     (Not that I am going to start such Erlang project, just being smart
>     ass and
>     sharing my findings.)
> 
>     -kontro-
> 
>     ------------------------------------------------------------------------------
>     Download Intel&#174; Parallel Studio Eval
>     Try the new software tools for yourself. Speed compiling, find bugs
>     proactively, and fine-tune applications for parallel performance.
>     See why Intel Parallel Studio got high marks during beta.
>     http://p.sf.net/sfu/intel-sw-dev
>     <http://server:8080/redir.hsp?url=%68%74%74%70%3A%2F%2F%70%2E%73%66%2E%6E%65%74%2F%73%66%75%2F%69%6E%74%65%6C%2D%73%77%2D%64%65%76>
>     _______________________________________________
>     Openvpn-als-devel mailing list
>     Ope...@li...
>     <mailto:Ope...@li...>
>     https://lists.sourceforge.net/lists/listinfo/openvpn-als-devel
>     <http://server:8080/redir.hsp?url=%68%74%74%70%73%3A%2F%2F%6C%69%73%74%73%2E%73%6F%75%72%63%65%66%6F%72%67%65%2E%6E%65%74%2F%6C%69%73%74%73%2F%6C%69%73%74%69%6E%66%6F%2F%6F%70%65%6E%76%70%6E%2D%61%6C%73%2D%64%65%76%65%6C>
> 
> 
> ------------------------------------------------------------------------
> 
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Openvpn-als-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openvpn-als-devel

Re: [Openvpn-als-devel] [Openvpn-als-user] Future of Adito/OpenVPN ALS

[<sam...@gm...>]

Interesting post, kontro! So we have several alternatives. If the
project goes down the drain (as it seems to), I think as a last effort
we should document the alternatives which current Adito/ALS users have.

Anyways, perhaps 3sp did the right thing when they sold themselves to
Barracuda Networks - they can now relax and concentrate on milking money
from their customers ;). Somehow I have a feeling they won't be
aggressively developing the SSL-Explorer codebase now that it's as
closed as it can be.

I don't think 3sp benefited much from SSL-Explorer being OSS, besides
good publicity and easier marketing. Also, the code that Adito / ALS
community has provided (LDAP, RADIUS, clientcert and pam auth) would
have just sabotaged 3sp' "Enterprise" sales.

> Good mail from Samuli. I were interrested about contributing adito some
> time ago. But when I dig deeper into source I did find same problems.
> 
> Most discouraging experience were when I was studying Erlang programming
> language same time with Adito and found out how easily same problems
> could be solved with Erlang.
> 
> Actually I think that Nortel built their own similar solution top of Erlang 
> OS web server called YAWS (http://yaws.hyber.org/contribs.yaws). 
> YAWS has ssl support, integrated json support and 
> Linux-PAM authentication - so it supports any authentication Linux supports.
>
> I did check out YAWS source code and found out that turning it to
> Adito replacement would be quite simple (at least when comparing to JEE
> solution). Actually there is already yaws_revproxy.erl module in 
> YAWS git tree. As usual nice gui would be the biggest job. Agent of course
> needs to stay JAVA.
> 
> So I am happy about Samuli's new job and agree with his opinnions, but
> maybe questioning Arne's view about 'project magnitude' :)
> 
> (Not that I am going to start such Erlang project, just being smart ass and
> sharing my findings.)
> 
> -kontro-
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Openvpn-als-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openvpn-als-devel

Re: [Openvpn-als-devel] [Openvpn-als-user] Future of Adito/OpenVPN ALS

[<sam...@gm...>]

Hi Arne,

Yes, the client/driver installation on OpenVPN is tedious. I agree that
 this is the strong point in web-based offerings such as ALS. Perhaps a
 good overall solution would be to combine a simple web-based reverse
proxy / replacement proxy service with full network-layer solution such
as OpenVPN. There are quite a few reverse proxy solutions around:

<http://nginx.org/en>
<http://wiki.squid-cache.org/SquidFaq/ReverseProxy>
<http://www.apsis.ch/pound>

I don't know if they can be used to replace ALS' reverse proxy
functionality completely, though.

I feel the core problem with ALS' codebase (for us) is that instead of
integrating existing OSS components 3sp reinvented the wheel on many
occasions. This means we were left with a big, complex, tightly
integrated and hard to understand codebase which can't be easily used by
other projects (which would get external developers interested).

An entirely separate approach is beneficial for community-driven
projects. For example, Linux distributions such as Debian are extremely
complex. However, instead reinventing the wheel (=applications) Debian
developers just integrate stuff together, thus limiting the effects of
complexity. Most of the maintenance overhead is taken care of by
external developers, not by Debian project itself. Similar approaches
can be used for commercial OSS applications, but 3sp did not go that
route - probably for reasons that made sense for them.

> I don't have much to add to the discussion but I just wanted to make one
> point of why a web-based SSL VPN is useful. In my experience OpenVPN is
> easy to setup and works pretty well. My main problem is the
> administrative overhead when trying to distribute logons for all the
> users. Having 500+ (new comming in all the time) mobile users and then
> distributing them is such a mess. A web based solution that integrates
> with RADIUS or Active Directory is so much easier and also easier for
> the end-user. 
> 
> That being said, I think it's sad that the project is fading away.
> Commercial alternatives are so expensive. Like $100-200 per user. Sadly
> our economic situation is not so good that we can afford to support this
> project, then it would just be cheaper to go commercial. I think a
> project of this magnitude needs at least $150 000 to get started again
> and attract new developers.
> 
> 2010/4/8 sam...@gm... <mailto:sam...@gm...>
> <sam...@gm... <mailto:sam...@gm...>>
> 
>     >> As you may have noticed, ALS has not been developed actively
>     since last
>     >> summer. So what do _you_ think we should do with our project?
>     >
>     > First let me thank you for the excellent mail. The status of the
>     > project is important to me. I am also sorry to hear the project is
>     > currently dying slowly. The thing I can do for the project is a small
>     > donations around 100 Euro for either migration support or continuation
>     >  of the development.
> 
> 
>     In some environments OpenVPN (=the original one) may be somewhat
>     difficult to configure properly. In most cases, however, it's at least
>     as fast to setup as ALS. I managed to set up a simple VPN in ~6 hours
>     with no prior experience. OpenVPN's user and developer communities are
>     _very_ active and helpful in case you get stuck.
> 
>     I think writing migration guides (e.g. to OpenVPN (AS), Squid, Pound)
>     would make sense. This is where our Wiki comes handy:
> 
>     <http://sourceforge.net/apps/trac/openvpn-als/wiki>
> 
>     > Also remember that users can have large investment in excising
>     > OpenVPN-ALS in both time as money. I know of installations that have
>     > very expensive SSL certs for OpenVPN-ALS, lot of man hours to
>     > configure OpenVPN-ALS with for example user access controls and
>     > webforwardings, and all the time for the project management politics.
>     > (this can sum op to more then two full months of work)
> 
>     True. However, there's nothing I can do about this. I don't have the
>     skills, time or interest to maintain the project myself and
>     unfortunately the community-driven development model does not seem to
>     work for ALS (for reasons stated above).
> 
>     Samuli
> 
>     ------------------------------------------------------------------------------
>     Download Intel&#174; Parallel Studio Eval
>     Try the new software tools for yourself. Speed compiling, find bugs
>     proactively, and fine-tune applications for parallel performance.
>     See why Intel Parallel Studio got high marks during beta.
>     http://p.sf.net/sfu/intel-sw-dev
>     _______________________________________________
>     Openvpn-als-devel mailing list
>     Ope...@li...
>     <mailto:Ope...@li...>
>     https://lists.sourceforge.net/lists/listinfo/openvpn-als-devel
> 
> 
> 
> ------------------------------------------------------------------------
> 
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Openvpn-als-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openvpn-als-devel

Re: [Openvpn-als-devel] [Openvpn-als-user] Future of Adito/OpenVPN ALS

[<ko...@us...>]

On Thu, Apr 08, 2010 at 12:23:03PM +0200, Arne Morten Johansen wrote:
> That being said, I think it's sad that the project is fading away.
> Commercial alternatives are so expensive. Like $100-200 per user. Sadly our
> economic situation is not so good that we can afford to support this
> project, then it would just be cheaper to go commercial. I think a project
> of this magnitude needs at least $150 000 to get started again and attract
> new developers.

Good mail from Samuli. I were interrested about contributing adito some
time ago. But when I dig deeper into source I did find same problems.

Most discouraging experience were when I was studying Erlang programming
language same time with Adito and found out how easily same problems
could be solved with Erlang.

Actually I think that Nortel built their own similar solution top of Erlang 
OS web server called YAWS (http://yaws.hyber.org/contribs.yaws). 
YAWS has ssl support, integrated json support and 
Linux-PAM authentication - so it supports any authentication Linux supports.

I did check out YAWS source code and found out that turning it to
Adito replacement would be quite simple (at least when comparing to JEE
solution). Actually there is already yaws_revproxy.erl module in 
YAWS git tree. As usual nice gui would be the biggest job. Agent of course
needs to stay JAVA.

So I am happy about Samuli's new job and agree with his opinnions, but
maybe questioning Arne's view about 'project magnitude' :)

(Not that I am going to start such Erlang project, just being smart ass and
sharing my findings.)

-kontro-

Re: [Openvpn-als-devel] [Openvpn-als-user] Future of Adito/OpenVPN ALS

[Arne M. J. <arn...@gm...>]

I don't have much to add to the discussion but I just wanted to make one
point of why a web-based SSL VPN is useful. In my experience OpenVPN is easy
to setup and works pretty well. My main problem is the administrative
overhead when trying to distribute logons for all the users. Having 500+
(new comming in all the time) mobile users and then distributing them is
such a mess. A web based solution that integrates with RADIUS or Active
Directory is so much easier and also easier for the end-user.

That being said, I think it's sad that the project is fading away.
Commercial alternatives are so expensive. Like $100-200 per user. Sadly our
economic situation is not so good that we can afford to support this
project, then it would just be cheaper to go commercial. I think a project
of this magnitude needs at least $150 000 to get started again and attract
new developers.

2010/4/8 sam...@gm... <sam...@gm...>

> >> As you may have noticed, ALS has not been developed actively since last
> >> summer. So what do _you_ think we should do with our project?
> >
> > First let me thank you for the excellent mail. The status of the
> > project is important to me. I am also sorry to hear the project is
> > currently dying slowly. The thing I can do for the project is a small
> > donations around 100 Euro for either migration support or continuation
> >  of the development.
>
>
> In some environments OpenVPN (=the original one) may be somewhat
> difficult to configure properly. In most cases, however, it's at least
> as fast to setup as ALS. I managed to set up a simple VPN in ~6 hours
> with no prior experience. OpenVPN's user and developer communities are
> _very_ active and helpful in case you get stuck.
>
> I think writing migration guides (e.g. to OpenVPN (AS), Squid, Pound)
> would make sense. This is where our Wiki comes handy:
>
> <http://sourceforge.net/apps/trac/openvpn-als/wiki>
>
> > Also remember that users can have large investment in excising
> > OpenVPN-ALS in both time as money. I know of installations that have
> > very expensive SSL certs for OpenVPN-ALS, lot of man hours to
> > configure OpenVPN-ALS with for example user access controls and
> > webforwardings, and all the time for the project management politics.
> > (this can sum op to more then two full months of work)
>
> True. However, there's nothing I can do about this. I don't have the
> skills, time or interest to maintain the project myself and
> unfortunately the community-driven development model does not seem to
> work for ALS (for reasons stated above).
>
> Samuli
>
>
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Openvpn-als-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openvpn-als-devel
>