Hi,
I'm happy to see a new release of Wingate .... but ... any improvement on the VPN version ??
Is there a way to secure the first TLS/SSL handshake to reduce DOS capabilities ? Having the IP + Port + "VPN logical Name" is all you need to have access to the authentication process of the server. All these informations are easy to listen-capture (all in "clear text"). Adding a kind of "ignition key" (as openvpn does with its ta.key) that permit to pre-authenticate clients that connect and give them the right to authenticate to the VPN server. (Other clients trying to connect without the key would not be allow to authenticate).
I'm still having problems connecting more than 25 clients simultaneously to a "full mesh network". I don't really nead a full mesh network. I have 5 datacenters on wich all clients need to connect. I would like to keep the datacenters as "VPN clients" (only UDP packet incomming) and keep away the VPN server on it's own Internet access, without any LAN.
It would be great to have 2 kinds of clients : "Normal clients" (...) and "Master Clients" (on which any clients of the masternode can connect, if selected).
Tunnel creation could then offer another option :
- allow tunnel to Masternode Only
- allow tunnel to/from all MasterClients only (new option)
- allow tunnel to/from all nodes
Then, when a client connect to a MasterNode, he would be able to open VPNs to the MasterClients only (Data Centers) only (and not all of the other clients).
That would be a great functionnality.
I'm also having problems with PAT (Port address Translation) routers (netGear, bewan, ...) . I wonder how clients learn other clients UDP port ? Because when using these routers, it's seems that some clients sends UDP packets to the translated-UDP-port (wich is not forwarded, but assigned by the router), and not to the 'normal UDP port' (the one that is forwarded). The result is that communication does'nt work until the local client sends packets to the other client, and then, the router opens a "network windows" and packets can also come in, regardless the "original" UDP port.
Best regards
Happy Christmas.
Jeff