Recent SSL-VPN exploitations has made me disable SSL-VPN. (on 7.2.10)
Reason is that I’m the only one using VPN. I use it from my computer and from my phone, both with FortiClientVPN.
Nice though have been ability to use FortiToken to enable SSL-VPN 2FA.
I just need the tunnel, no portals, no use friendly download of FortiClient.
Would you suggest setting up IPsec VPN only with some kind of hard coded secret that I deploy on the computer and phone with this use case?
How do you do?
Why not IPsec with a certificate? Nobody’s gonna bother brute-forcing that, so you will be able to drop the token 2FA.
Alternatively IPsec with PSK + specific peer-id is arguably pretty much “username + password”. (assuming you’re looking to avoid XAUTH/EAP, which can deal with true usernames and passwords)
Or just use the free tier of something like Tailscale or OpenVPN and do away with the hassle.
I use the free FortiClient VPN to access my 61E using IPSec. It’s pretty easy to set up. I switched from SSL after all the vulnerabilities. If you have access to the Cookbook for your version of FortiOS it’s a great resource. I also use site to site IPSec tunnels to two other 61E’s that I manage.
Ir run openvpn as with a free 2 user license with saml Auth to my 1 user azure tenant.
Could you please provide the CVE your‘e Talking about?
Thank you for your valuable insights!
Honestly I think for the OP’s use case (home user with one person) from a security / cryptographic standpoint, IPSec with a PSK + peer ID is fine. I doubt that’s going to get brute forced – none of the strange IPSec traffic I’ve caught on my firewall looks like an attempt to brute force the PSK.
It’s a lot more dangerous in an corporate / multi-user setting for on-client stealer malware to extract those credentials. And for the OP’s fear, who knows, maybe one day we’ll see an IPSec VPN zero day even though it has fewer userspace components involved but more kernel and ASIC attack surface.
Thank you. Didn’t manage to enable local DNS resolving though. Do you know what has to be done to enable that?
It’s a historical one, CVE-2024-21762. But there’s a trend that SSL-VPN are targets from threat actors.