[anon(2729369)]

Please, please, please BlackBerry do not implement PPTP/L2TP on your nice new OS.

VPNs can be used for some to stream media and for that purpose, PPTP works very well. Data privacy is not always a requirement.

[Nharzhool]

Er mo, I know exactly what I'm talking about and it would appear that you are the confused person here.

Since when is a brute force attack an exploit? What is the total key extent of AES 256-bit? Don't you think that the NSA and such like not only have ever single possible key in a database, but also have a very sophisticated algorithm for testing the keys in a probability priority cascade on machines that can perform billions of test per second.

As for citations, what evidence do you have that there is no backdoor? I suggest to search algorithm based based analysis attacks carried out by the industry and you will soon see that the backdoor was discovered several years ago by sone of the best brains in cryptography.

Next time don't ask me to cite. Do your own research. I don't even know if you are capable of understanding the evidence so why would I cite it. After all you think I get confused between AES and SSL where one us a standard and the other is a protocol. Duh!

Posted via CB10

Firstly...What you stated there isn't a Brute Force attack. a 128-bit AES encryption takes 1 Billion Billion years to crack with a supercomputer on brute-force: How secure is AES against brute force attacks? | EE Times

Since 256 is 2128 times more complex...then it makes sense that it won't take 2.5 hours for a brute-force attack to crack.

Also, lack of disproving evidence doesn't mean that something exists. Just because you can't find proof that I specifically don't have 17 stomachs, doesn't mean that I do.

Also, an Algortihm-based analysis attack IS NOT BRUTE FORCE...

Anyway, WAY off topic...OpenVPN is more convenient that having to buy specific hardware for a home VPN. Though you could just use StrongSwan and BB10 works with the IKEv2 VPN options with it. You can find it here: Strongswan VPN and the Playbook | Richard Wall

I haven't been able to find a Windows-Based one that I can setup and run from home that doesn't require me redirecting through third party servers...

[Omnitech]

OpenVPN is more convenient that having to buy specific hardware for a home VPN. Though you could just use StrongSwan and BB10 works with the IKEv2 VPN options with it. You can find it here: Strongswan VPN and the Playbook | Richard Wall

I haven't been able to find a Windows-Based one that I can setup and run from home that doesn't require me redirecting through third party servers...

Perhaps because most security geeks don't run Windoze.

There are various free turnkey *nix things you can install on your existing commodity router that provide IPSEC VPN capability, some of which incorporate S/WAN. Couple of examples:

• Zeroshell
• pfsense
• Zentyal

[Omnitech]

Some Windoze HowTo's for IPsec among others:

How to Create a VPN Server on Your Windows Computer Without Installing Any Software
Elastichosts | Tutorials | Windows L2TP/IPsec VPN Server
Five Best VPN Tools
How (and why) to set up a VPN today | PCWorld

[Nharzhool]

Some Windoze HowTo's for IPsec among others:

How to Create a VPN Server on Your Windows Computer Without Installing Any Software - Not supported by BB10
Elastichosts | Tutorials | Windows L2TP/IPsec VPN Server - Not supported by BB10
Five Best VPN Tools - Not supported by BB10
How (and why) to set up a VPN today | PCWorld - Not supported by BB10

Are they actually solutions because they either use PPTP, hardware or IPSec? Though, from what I can tell, BB10 only supports IKEv2 for a software VPN.

I'm not claiming to be some sort of "security geek"...I'm actually an MS Tech specializing in Server Solutions. Though I'm not feeling up to setting up a Linux/Unix IKEv2 server at home (Especially since my home server mobo just died), NOR an MS RRAS IKEv2 server (Though the eval license would mean I need to reinstall every 6 months).

I'm actually surprised that there aren't any IKEv2 free Windows apps for this...though I understand why, I suppose.

Maybe when my mobo is fixed, I will run Win Blue with a FreeBSD VM with StrongSwan...that would work.

[iffi shono]

Posted via CB10

[anon(2729369)]

I think they've heard us, but let's wait for confirmation from multiple sources. I'm just hoping we won't have to wait until Live next year...

[Omnitech]

Are they actually solutions because they either use PPTP, hardware or IPSec? Though, from what I can tell, BB10 only supports IKEv2 for a software VPN.

Actually I thought some of those things were something they are not, turns out some of them are client-only and some of them only support L2TP. My bad.

Personally what I would do is buy a used Netscreen or Sonicwall firewall from ebay for $50 and use its built-in IPsec VPN facility.

Way better security than most of the toys sold for home networks these days (assuming a relatively modern OS is on there), though the older models have limited throughput which could be an issue if you expect 25mbps VPN performance or something. (Not that that would likely be possible on most modern home routers either, in practice.)

[Richard Buckley]

Actually I thought some of those things were something they are not, turns out some of them are client-only and some of them only support L2TP. My bad.

Personally what I would do is buy a used Netscreen or Sonicwall firewall from ebay for $50 and use its built-in IPsec VPN facility.

Way better security than most of the toys sold for home networks these days (assuming a relatively modern OS is on there), though the older models have limited throughput which could be an issue if you expect 25mbps VPN performance or something. (Not that that would likely be possible on most modern home routers either, in practice.)

Good advice if one is wanting to VPN to somewhere that one controls. Cisco makes a range of SoHo routers that provide IPSec endpoints for those who aren't happy with the idea of used hardware. At a few time the cost. I am currently debating your solution, or the purchase of a Cisco unit, but it is hard to justify when my current system provides OpenVPN already. I live in hope, there are indications in the 10.2 API that there is some reason to hope.

Unfortunately your advice doesn't solve the growing problem where people have to connect with campus VPS servers that provide PPTP and L2TP (for mobiles) and OpenVPN.

I guess BlackBerry has to decide where in the market they stand. If they are still only interested in supporting big corporate users who will have access to IPSec servers then we will never see OpenVPN. But if they are also after the SoHo and consumer markets then they pretty much have to do something, even if that is only providing the tools for someone else to build an OpenVPN application.

[Omnitech]

Unfortunately your advice doesn't solve the growing problem where people have to connect with campus VPS servers that provide PPTP and L2TP (for mobiles) and OpenVPN.

I guess BlackBerry has to decide where in the market they stand. If they are still only interested in supporting big corporate users who will have access to IPSec servers then we will never see OpenVPN. But if they are also after the SoHo and consumer markets then they pretty much have to do something, even if that is only providing the tools for someone else to build an OpenVPN application.

Correct me if I'm wrong here, but AFAIK NONE of the competing smartphone platforms have native OpenVPN support either.

Sure, there are apps for those platforms that do that, but there could be OpenVPN apps for BB10 most likely too. It's no more BlackBerry's fault for that than it is Microsoft or Apple or Google's fault that they don't bother to bake OpenVPN support into their OS natively either.

[anon(2729369)]

Correct me if I'm wrong here, but AFAIK NONE of the competing smartphone platforms have native OpenVPN support either.

https://play.google.com/store/apps/d...penvpn.openvpn

OpenVPN Connect is the official full-featured Android VPN client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community, developed by OpenVPN Technologies, Inc.
Features:
* Supports Ice Cream Sandwich, Jelly Bean and higher. Does NOT require a rooted device.
* Easily import .ovpn profiles from SD card, OpenVPN Access Server, Private Tunnel or via a browser link.
* Improved power management - preferences setting allows VPN to pause in a low-power state whenever screen is blanked or network is unavailable.
* Android Keychain integration - OpenVPN profiles may reference a cert/key pair in the Android keychain.
*Supports hardware-backed keystores (such as on the Nexus 7)
*Support for multi-factor authentication using OpenVPN static and dynamic challenge/response protocols.
*Full IPv6 support (at both the tunnel and transport layer)

[Omnitech]

https://play.google.com/store/apps/d...penvpn.openvpn



OpenVPN Connect is the official full-featured Android VPN client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community, developed by OpenVPN Technologies, Inc.
Features:
* Supports Ice Cream Sandwich, Jelly Bean and higher. Does NOT require a rooted device.
* Easily import .ovpn profiles from SD card, OpenVPN Access Server, Private Tunnel or via a browser link.
* Improved power management - preferences setting allows VPN to pause in a low-power state whenever screen is blanked or network is unavailable.
* Android Keychain integration - OpenVPN profiles may reference a cert/key pair in the Android keychain.
*Supports hardware-backed keystores (such as on the Nexus 7)
*Support for multi-factor authentication using OpenVPN static and dynamic challenge/response protocols.
*Full IPv6 support (at both the tunnel and transport layer)

That is "official" in the sense it is written by the people who wrote OpenVPN. It is not "official" or "native" as in written by and officially supported by Google as part of the Android OS.

[Omnitech]

Has anyone actually asked the OpenVPN people why they don't write an OpenVPN client app like that for BB10?

[anon(2729369)]

That is "official" in the sense it is written by the people who wrote OpenVPN. It is not "official" or "native" as in written by and officially supported by Google as part of the Android OS.

You said native :P
Anyway, Google did what it had to do, it provides a base class for apps to build their own VPN solutions (since API level 14).

Has anyone actually asked the OpenVPN people why they don't write an OpenVPN client app like that for BB10?

The first thing to do would be to ask BlackBerry why they don't offer an API, but I guess they don't trust devs when it comes to security.

[Omnitech]

The first thing to do would be to ask BlackBerry why they don't offer an API, but I guess they don't trust devs when it comes to security.

Tbh I can easily understand such a stance. Why should they trust some unknown entity to place deep hooks into the OS's networking functionality as a way of selling a "security" solution that may turn out to be full of holes, vulnerabilities or exploits? Unlike most of their competition, Blackberry could suffer a lot more reputational damage for allowing that to happen.

No one even expects Android to be a secure OS.

Though I don't see why Blackberry doesn't just stipulate that in order for organizations using the devices to maintain an approved level of security, they cannot employ 3rd-party VPNs on the device. They have made compromises like that for BB10 all over the place, and often for a far more fuzzy potential payoff.

[anon(2729369)]

Though I don't see why Blackberry doesn't just stipulate that in order for organizations using the devices to maintain an approved level of security, they cannot employ 3rd-party VPNs on the device. They have made compromises like that for BB10 all over the place, and often for a far more fuzzy potential payoff.

Exactly. Let the user choose. Same for s/mime and other features they think users don't need.
They could provide /dev/tun and let OpenVPN add everything else in an app.

[Omnitech]

Exactly. Let the user choose. Same for s/mime and other features they think users don't need.
They could provide /dev/tun and let OpenVPN add everything else in an app.

Then of course the question would be whether the OpenVPN people would consider the effort of writing such an app worthwhile, considering the small userbase.

I thought perhaps Firefox OS would have OpenVPN support built-in, but it appears that it doesn't have any VPN support yet.

Same for Tizen, though apparently there may be a 3rd-party OpenVPN client available.

So other than perhaps a future Ubuntu for Smartphones release, I think that pretty much wraps up all the significant smartphone platforms in terms of native OpenVPN support.

[Nharzhool]

Actually I thought some of those things were something they are not, turns out some of them are client-only and some of them only support L2TP. My bad.

Personally what I would do is buy a used Netscreen or Sonicwall firewall from ebay for $50 and use its built-in IPsec VPN facility.

Way better security than most of the toys sold for home networks these days (assuming a relatively modern OS is on there), though the older models have limited throughput which could be an issue if you expect 25mbps VPN performance or something. (Not that that would likely be possible on most modern home routers either, in practice.)

Haha it isn't important enough for me to purchase hardware. Which is the very reason I wanted to use a software app For it.

Anyway, 25mbps in South Africa? HA! A while away for people who aren't in Sandton.

Meh, until my mobo is fixed and can build a FreeBSD box with Strongswan, it looks like no VPN for me. :-P

Mmmm...CB10! Just the tip though...

[Omnitech]

Haha it isn't important enough for me to purchase hardware. Which is the very reason I wanted to use a software app For it.

Anyway, 25mbps in South Africa? HA! A while away for people who aren't in Sandton.

Didn't know you were in SA. One less reason not to get one of those HW devices.

Meh, until my mobo is fixed and can build a FreeBSD box with Strongswan, it looks like no VPN for me. :-P

Why not just run either StrongSWAN or pfsense in a BSD/Linux/etc VM under VirtualBox or something?

[Nharzhool]

Didn't know you were in SA. One less reason not to get one of those HW devices.





Why not just run either StrongSWAN or pfsense in a BSD/Linux/etc VM under VirtualBox or something?

That's what I'm planning on doing...when I get a new motherboard. :-P

Actually gonna do it under VMWare Workstation. Perks of being a VMWare engineer!

Haha, you know the Internet isn't MORE dangerous here? Just a lot more expensive. :-P

Mmmm...CB10! Just the tip though...

[Omnitech]

That's what I'm planning on doing...when I get a new motherboard. :-P

Hold on a sec - weren't you complaining that there weren't any free IKEv2 servers for Windows? If you're already running Windows why not just run VirtualBox on it? RAM limitation?

Actually gonna do it under VMWare Workstation. Perks of being a VMWare engineer!

Speaking of VMware perks, do they have some sort of professional trial program like MS Technet? I called someone at the headquarters about that but have to followup with them because I never got a straight answer. The free ESXi has a lot of showstopper limitations, like all the backup/remote command-line APIs/functions removed.

[Nharzhool]

Hold on a sec - weren't you complaining that there weren't any free IKEv2 servers for Windows? If you're already running Windows why not just run VirtualBox on it? RAM limitation?





Speaking of VMware perks, do they have some sort of professional trial program like MS Technet? I called someone at the headquarters about that but have to followup with them because I never got a straight answer. The free ESXi has a lot of showstopper limitations, like all the backup/remote command-line APIs/functions removed.

Yeah, RAM limits(among other limitations :-P) . I was just using a POS desktop at home as my server so I couldn't run a VM on top of it but I can once I get my new mobo.

VMWare do offer evaluation keys if you want to setup your own host but unless you have impressive hardware and are planning on nesting the VMs, it requires more PCs than I have. :-P

As far as I know, the Eval keys have full functionality...I don't remember seeing any limitations but I only ever used the Eval keys to mess around with ay home where I didn't even get around to those things you listed.

I originally complained that there were no free IKEv2 VPN systems for Windows and then a couple days later, my motherboard died...so now that I'm being forced to get a more powerful PC, I'm just going to run a FreeBSD VM (though I still want an IKEv2 windows system. ).

Mmmm...CB10! Just the tip though...

[Omnitech]

VMWare do offer evaluation keys if you want to setup your own host but unless you have impressive hardware and are planning on nesting the VMs, it requires more PCs than I have. :-P

As far as I know, the Eval keys have full functionality...I don't remember seeing any limitations but I only ever used the Eval keys to mess around with ay home where I didn't even get around to those things you listed.

I don't really do much with VMware except on servers, so at this point it would be on various permutations of multi-core Xeon servers, anywhere from 2 dual-core CPU boxes to 2 quad-core CPU boxes.

The problem with the free ESXi is that a lot of the functionality to support backup and things like UPS signalling are missing in the free versions, and running VMs without backup or UPS signalling support on boxes that run 24x7 is a really bad idea.

I also have a copy of VMware workstation, but the original thing I wanted to use it for didn't work. (An XP VM of my old laptop image running under VMW on my new laptop - XP wouldn't run because that Thinkpad version of XP was "BIOS-locked" to the old Thinkpad and won't run under VMware workstation. I've seen workarounds for this with VirtualBox - ie some sort of BIOS spoofing - but nothing for VMW. And I haven't gotten around to playing with the OS to make it work, ie by doing a "repair install" or somesuch, but not holding my breath on that either.)

[Nharzhool]

I don't really do much with VMware except on servers, so at this point it would be on various permutations of multi-core Xeon servers, anywhere from 2 dual-core CPU boxes to 2 quad-core CPU boxes.

The problem with the free ESXi is that a lot of the functionality to support backup and things like UPS signalling are missing in the free versions, and running VMs without backup or UPS signalling support on boxes that run 24x7 is a really bad idea.

I also have a copy of VMware workstation, but the original thing I wanted to use it for didn't work. (An XP VM of my old laptop image running under VMW on my new laptop - XP wouldn't run because that Thinkpad version of XP was "BIOS-locked" to the old Thinkpad and won't run under VMware workstation. I've seen workarounds for this with VirtualBox - ie some sort of BIOS spoofing - but nothing for VMW. And I haven't gotten around to playing with the OS to make it work, ie by doing a "repair install" or somesuch, but not holding my breath on that either.)

Yeah but fortunately the type of people who get a free version of VMWare don't exactly have all the fancy hardware that needs support.

Pity you didn't run "Sysprep /generalise" on that old XP machine before slapping it in a VM. Though there might be a way to still do that...I've never needed to mess around with A post-transfer Sysprep.

We are, however getting VERY sidetracked from the thread topic. :-P

Mmmm...CB10! Just the tip though...

[Omnitech]

Looks like the leaked version of 10.2.1 has limited OpenVPN support.

http://forums.crackberry.com/bb10-le...a100-x-856794/


Quoting:

"OpenVPN makes an appearance (No UI)"