And allowing password guessing by everybody on the internet. One weak/leaked username and password away from breached network perimeter. Not good. Use a second factor of some kind.
Work laptops would be. For home PCs, 2-factor authentication should be used or at the very least certificates should be generated and installed. Relying only on username and password is how companies get hacked. There will be a user who uses the same password on all of their accounts: personal and work accounts.
I honestly think there’s a middle ground there somewhere. It’s kind of amazing that in 2020 that client VPN is still a choice of “install this propriety VPN client” or some mishmash of GPO, scripting, certificate installation.
I get that both are somewhat reasonable for larger organizations that issue laptops and have actual full-time IT people who both sort it out and have the benefit of possessing the laptop prior to anyone using it remotely (along with a thought out and defined VPN policy/setup). Those of you like this should consider yourself kind of blessed, in my experience this is not “normal” until you get into a pretty large organization.
I work for a MSP/VAR focused in the SMB market and…it’s not like that in most of the real world. We get the right way to do it, but selling this to companies can be difficult. Pre-Covid19 many didn’t have anything like a remote work policy, it was often some kind of golden coin issued by the owner on an ad-hoc basis to high value people, especially if it involved a laptop for an employee mostly expected to work in the office.
We got lucky at one company who got a new “operations” person in charge of IT and managed to get them to buy into the idea that anyone who worked remotely needed a company issued laptop for security reasons. But plenty of other places there has been a ton of pushback on this concept from ownership who are suspicious of remote work and hate the idea of paying for laptops. And nearly all of these aren’t joke companies with 5 people in a class D office space, but 50+ employee businesses.
We’ve sold a ton of Watchguard equipment, and historically their OpenVPN-compatible SSLVPN client has been pretty solid, but the last install I did was rough due to performance issues with rural DSL users dropping connections. We had to switch IKEv2 and what a mess. Even the vendor can’t package up an installer better than 3 folder levels worth of Powershell scripts.
Sorry for that rant, but I guess it’s often tedious to hear “but you should have all these policies to be secure, it’s easy, just 3 GPOs, and updates from your CA…” Technically true, but so many organizations aren’t that sophisticated. And it’s boggling that so many vendors don’t make security easier, you’d think in 2020 some industry consortium would have sorted client VPN for security and ease of use, including Microsoft.
People using VPN are doing it from their home PCs:
Not at any respectable company I’ve heard of.
Welcome to the real world - where engineering is about trade-offs.
For home PCs, 2-factor authentication should be used or at the very least certificates should be generated and installed.
Okay, and which built-in Windows VPN client supports entering the second factor?
We also all realize that you shouldn’t be using email as a second factor - and of course I don’t have a cell phone. So I’m assuming we’re talking about a hardware token. But I don’t think RSA gives this away for free. Nor do I think pfSense supports them. Nor do I think Windows supports them.
I honestly think there’s a middle ground there somewhere.
The middle ground is not really to bother with VPN. Run a bunch of virtualised workstations, provide some kind of web gateway with 2FA that can RDP to them.
…and thats kinda it.
I’m sorry but there are legit very few companies where work is allowed on personal PCs. This is one of the easiest low-hanging lawsuit-combatting things a company can do.
- Question: how to have pfSense support Windows 10 inbox VPN clients.
- Answer: You shouldn’t be doing that.
This isn’t stackoverflow.
I’m a software developer. I will work wherever and whenever I like. If someone doesn’t like it: that’s their problem.
Now if we can get back to the question of how to add pptp support to pfSense
Realistically, if a company doesn’t have the opsec to prevent ransomware from employees using personal machines, they probably don’t have the opsec to prevent ransomware from employees using corporate machines either.
how to add pptp support to pfSense
go do it. submit your patches upstream. see how popular they are.
Is security not a consideration for some reason?
PPTP should be considered obsolete.
I’m not sure this is even a good idea, however, if you’re going to make your network more vulnerable, I’d say ditch the PPTP idea and forward translated ports to a(some) terminal server(s) and send out some rdp files for the end users to connect to. This way you’re not using home computers and the chance of an rdp attack I think should be lower if you use random ports in the 30000-50000 range on the outside. Still not fort Knox, but better than using PPTP IMHO. Good luck
Not entirely true and I kinda feel bad for them in this specific scenario because our govt implemented island wide curfew due to COVID-19 out of nowhere with no prior warnings beforehand (Up until the last day they were saying “All is good” due to wanting to take in candidates papers for the upcoming election). And since everyone was confined to their homes overnight local ISP’s customer support centers were now being hammered by every random Karen and Joe for the mundane of tasks, like adding a few gigabytes, checking balances, Adding a TV channel for their subscription, router repairs, etc.
Since the contact centers are traditionally run from dedicated call centers the ISP’s hadn’t made any DR plans to transition to their call centers to Work from home in case of emergencies because our country never really face any sort of large scale disasters, but COVID-19 was a real eye opener to say the least.
Anyways what they did was allowing remote workers VPN access to their entire core network with full access to fileshares, corporate web portals, various web applications without only allowing access to Call Center Applications.
And since they did not have new laptops available to distribute to call center workers and were unable to buy a large number of laptops in 1 or 2 days from distributors in the midst of a pandemic, they sloppily setup the VPN on home computers of the Office workers.
The rest is history, they assume someone probably downloaded a ransomware’d torrent and ran an executable which spread through the file shares and everyone was ransomware’d, what is worse is that this ransomware supposedly spread to their management interfaces and ransomwared customer data holding Oracle database machines as well. The whole ISP was barely functioning for 3-4 weeks but recovered afterwards, they probably didn’t pay. It was so bad for a month they moved alot of automated functionalities to paper based items.
The ransomware was found out to be “ReVil”. Anyways this serves as a cautionary tale for all and especially for us since this was our countries biggest ISP. Everyone in the IT industry took notice to say the least.
how to add pptp support to pfSense
go do it. submit your patches upstream. see how popular they are.
If that’s the answer, that pfSense does not (and will not) support in-box Windows VPN clients for standard users: then say that.
There’s no shame in answering the original post honesty and directly:
pfSense cannot do this
Just answer his question.
I don’t know how it happens, but I’ve known a couple of places that have gotten nuked by RDP attacks when the listening ports are changed to high number ports and the firewall has competent port scan mitigation. I think large botnets are able to distribute port scanning effectively over so many IPs that it takes really sophisticated IDS logic to even know it’s happening and how to stop it.
The question was “Is there any VPN Server option in pfsense that’s compatible with the built-in VPN Client default options in Windows 10?” All of our answers that didn’t involve PPTP are perfectly answering his question. You’re just being purposefully daft for the point of being contrary.
All of our answers that didn’t involve PPTP are perfectly answering his question.
But someone, not me, asked about not certificates.
And then people went on safari about the nature of security and the existential meaning of “working” from home.
Did you miss the part where I mentioned it works with MSCHAPv2, which is password based?
I’ve gotten it working with both MSCHAPv2 and EAP-TLS (password vs cert)
We didn’t go on a “safari,” you were the one who were implying this had to be about someone working on their home PC.
this had to be about someone working on their home PC.
Not many people are going to VPN from work - you’re already there.
home PC.
Home PC, meaning personal, not home in general. Read please.
Oh i read.
Employees need to be able to VPN to work from their home PC from home, while at home.
Your answer is:
Don’t do that.
Thanks Stackoverflow.