And, it’s also worth noting, that OpenWRT includes IPsec, OpenVPN and Wireguard, allowing one to use whatever VPN matches the requirements best…
I just made my first Wireguard VPN as Site2Site VPN for a client, using OPNsense on both sides…
OPNsense also allows all three VPNs to be used, albeit the GUI is a bit better than OpenWRT.
As a router, OpenWRT is faster than OPNsense on the same hardware.
Wireguard is almost twice as fast as OpenVPN!
Then again, it may be too “new” for some people here, some here seem to like using horse drawn chariots as transport instead of a car or public transport…
I just hope these people aren’t trying to run NethServer on a 2.0 Kernel…
A simple Man in the Middle attack can read ALL data!
If you’re a TelCo, L2TP make make sense, ie in transporting PPP packets to End-Users devices…
But forcing the use of IPsec, when IPsec can do the job better than L2TP, and much more secure, means there is no “real” need or use for L2TP…
IPsec, OpenVPN and Wireguard cover all current use cases for VPNs (Site2Site, RoadWarriors), provide good encryption, clients for RoadWarriors and are generally well integrated with commercial products.
IPsec is still counted as “The Standard” for VPNs, and allows for several different encryption methods. But both OpenVPN and Wireguard are valid runners up to the crown!
…and you’re clearly determined to find fault with this project. If you actually have a need for L2TP, surely you can recommend that and it would be considered. But if all you’re trying to do is poke hokes, I’d strongly encourage you to reconsider your course of action.
It wasn’t Andy who flagged your post, but it was I who agreed with the flag, because your post was pointlessly confrontational.
I won’t because there’s not to reconsider about. If something wrong is found I report it. If I don’t like someting, I tell it. If you don’t like the way I express myself, I’m sorry but anyway I never told someone bad words.
Stirring once more the wording repeating the already known about goals for the project won’t make me consider better the status or the path. I see some faults and I’m wording that explaining why it’s not good for me.
I cannot take out from your mind malevolence, disingenuous if you see that in me. It’s your mind and I’m for free thinking. Take it as you want it, it’s out of my control what do you think of me and I am no marketing team for make you believe what I want you to believe.
I won’t use L2TP (which by the way is already in every consumer OS for computers, tablet and smartphones, so might totally be a nice feature for every appliance…) without IPSec, and some recent Android ROMs started to delivering that on IKEv2 instead of the prehistoric IKEv1. For team “Pike is tedious” you never read me about two familes of products and 4 brands that still are providing L2TP/IPSec. Might be unfair and unpolite to poke that…
L2TP/IPSec is perfect? No. For 4 reasons.
The ports are known and part of the RFC/Protocol requirements. So filtering the communications for L2TP and IPSec is quite piece of cake for network admins and others interesting entities that want to shut down the use of VPNs
The subset of cypers and settings is something exterminate, so if the producer of the implementation do not allow to use the already estabilished settings of the environment, is quite a no-go.
On clients might be unnerving to configure. Not all the OS producers label parameters in the same way and buildin the usual babelfish between your stuff and the new stuff might be … not that smooth
Several network equipment brands use licensing and features like the automated provisioning of the client for more revenues. L2TP/IPSec currently cannot provide that, but some products are delivering scripts for faster configuration of the connection on Windows (in Powershell), like Neth7 and Neth6 provided pre-cooked OpenVPN client configurations.
Last but not least: wording and explaining a vision outside the “kumbaya we are all friends here and everything will be allright” is not pleasant. And I don’t consider any of the people working on the project less than capable and committed. You have your opinions, @danb35, you’re convinced that everything but me is allright and it’s just a matter of waiting.
I am not.
And NethSecurity based on IPCop (yes, there was) when after the login to the web interface admin was able to disconnect the internet “for good” (and only thing to allowed connection again was… clicking on the connect button) with others hiccups and strange designs is still there to remind me. Better decision could be taken and happened. Firewall section of Neth6 and Neth7 (in cockpit especially) is parsec forward and much more well built.
I am confident that this is a step back and I’d be very glad for the project if i’ll be wrong.
Don’t know, why you straight away paint me as Uncurable FAN.
You are free to not trust PFSense or Netgate great, but I only stated that I like the piece of software called as PFBlocker-NG which is an Add-on which does my job, which is still not available in the OPNSense, and huge knowledge base in their forum, obviously relative to opnsense forum bigger.
When I saw the progress made since october to NS8, I just can say please wait, if something is wrong, be sure it will be fixed or enhanced.
Nethsecurity is a loved child to Nethesis, they have a long story with firewall, whom recall the time of ipcop rebuild, it was also a product that Nethesis has sold support.
And really appreciated. But as other comments indicated too, progress and achievements are not too visible. Trello etc are not very good instruments (way too tech savy) nor sexy enough to draw public attention
But currently I can’t install promises, Alessio. I can’t use install something that’s not here, and the thing that’s here found lacking. You also admitted too… after 65 retry to extract facts, not promises or hopes.
Hardware (phisical or virtual) can’t bootload a “yet”.
Where is the IPS functionality? Or is this missing?
Unfortunately it looks like the NS8 is a big step backward from NS7, which as a highly integrated featureful plattform administered with a conistent interface. Now lot’s of features are missing, firewall features missing, no consistent interface.