On Fri, Apr 19, 2019 at 2:21 PM Nikos Mavrogiannopoulos <n.mavrogiannopoulos@xxxxxxxxx> wrote: > On April 18, 2019 3:27:53 PM UTC, Daniel Lenski <dlenski@xxxxxxxxx> wrote: > > > >3. OpenConnect currently supports the three most widely-deployed SSL > >VPNs in the USA (AnyConnect, Juniper, and GlobalProtect, in that > >order) based on my attempts to survey a bunch of S&P 500 companies and > >university websites using what-vpn > >(https://github.com/dlenski/what-vpn). Microsoft SSTP and Barracuda > >appear to be the next most common. I wasn't able to find enough > >examples of SonicWall VPNs to add a reliable "sniffer" for them, but I > >suspect it's a fairly niche/rare VPN. > > These are quite intersting figures even if crude. Does this search cover openvpn or ipsec use? > It's TLS only, including OpenVPN over TLS, but definitely not IPSEC. (Adding sniffing methods for non-TLS-based VPNs is on my TODO list, although ike-scan already does that pretty well: https://github.com/dlenski/what-vpn#todo) Basically, I took a bunch of likely VPN servers for big companies ({ssl-vpn,vpn,sslvpn}.bigcorp.com) and for US universities ({ssl-vpn,vpn,sslvpn}.university.edu) and ran what-vpn on all of 'em. Here's a lightly cleaned-up summary of the results: 1 Check Point 1 Citrix (manually inspected, don't know how to reliably autodetect) 1 OpenVPN 5 Dell or SonicWall (manually inspected, don't know how to reliably autodetect) 7 Fortinet 7 Barracuda 8 F5 (manually inspected, don't know how to reliably autodetect) 14 SSTP * 53 PAN GlobalProtect (portal and/or gateway) * 72 Juniper Network Connect * 243 Cisco AnyConnect (including 1 ocserv) ~4000 DNS error, TLS error, timeouts, some page that's not a VPN front-end, etc. Assuming these results to be roughly representative of deployment of "SSL VPNs" in general, it seems that OpenConnect already supports >80% of SSL VPN servers. I would guess that the total number of IPSEC-based VPNs is /at least as large/ as the total number of SSL VPNs. - Microsoft SSTP is a nigh-obsolete monstrosity in which PPP is glommed onto a TLS v1.0 transport, and it is actually pretty well-supported via Linux kernel ppp with sstp-client (http://sstp-client.sourceforge.net/). - AFAICT, CheckPoint is really "all IPSEC", with a very thin TLS compatibility veneer (https://gitlab.com/openconnect/openconnect/issues/13#note_128429733) - OpenVPN obviously has good open-source clients, even though I prefer the hackability and configurability of OpenConnect. If OpenConnect's goal is to allow connecting to nearly all the commercial SSL VPNs using a user-space open-source front end, then F5, Barracuda, Fortinet, and Dell+SonicWall are the obvious next protocols to target. I'm not 100% sure that all of these actually provide generic end-to-end IP connectivity… anything that doesn't probably should be excluded. Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
