why is ssl not enabled per default in vpnc

Asked by Thomas Bechtold


i want to use vpnc on university but i need ssl enabled. It's not enabled in the ubuntu hardy package.

It's easy to enable (edit the Makefile and comment out 2 lines) and my question is, why it isn't enabled by default.

Question information

English Edit question
Ubuntu vpnc Edit question
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Philipp Bönhof (phboe-launchpad) said :

Can't you use just ssh then to open a tunnel to your university?

Revision history for this message
Thomas Bechtold (toabctl) said :

I don't know. I followed the Howto from my university (the howto is in german).

My /etc/vpnc/default.conf looks like this:

IPSec gateway vpn.fhtw-berlin.de
IPSec ID fhtw_ipsec
IPSec secret ******
IKE Authmode hybrid
CA-FILE /etc/ssl/certs/deutsche-telekom-root-ca-2.pem
Xauth username *****
Xauth password *****

When i start vpnc with "sudo vpnc-connect", i got the following error:
vpnc-connect was built without openssl: Can't do hybrid or cert mode.

I can download the source with apt-get source vpnc, then edit the Makefile and then build the package with "dpkg-buildpackage". That works well.

But i found the reason why vpnc isn't compiled with ssl-support. It's documented in the Makefile:
"The license of vpnc (Gpl >= 2) is quite likely incompatible with the openssl license. Openssl is currently used to provide certificate support for vpnc (hybrid only)."

But can you give me a link how i can use ssh to open the vpn-connection?

Revision history for this message
Philipp Bönhof (phboe-launchpad) said :

As you correctly found out, vpnc is not compiled per default with openssl included because there are maybe problems with the licence.

If you successfully can adjust your sources and compile it with openssl, you should be able to use the command "sudo vpnc-connect" to connect.

At my university I don't always need a vpnc connection to connect to some computers remotely. Depending on the security level which is enforced there. Fortunately my university only requires "IKE DH ...".
There are still some machines which require a vpnc connection before I can use ssh to get a remote shell.
What I have to do in such cases are: 1. start vpnc, 2. start an ssh session.

I can't think of how you could tell ssh to automatically open the vpn connection for you.
If it works for you like it does for me you could setup you a script eg.

sudo vpnc-connect
ssh $@

Call it "my-uni-ssh" and then run it "./my-uni-ssh <arguments you would give to ssh in this case>". Or put it's directory into your $PATH variable and then you can call it with just "my-uni-ssh". Don't forget to make a "chmod u+x my-uni-ssh" to make it executable for your current user.
Anyway those two commands in the script are what I would do normally if I need a vpnc-connection before I can open the ssh session.

Hope this helps.

Revision history for this message
Hil (sargenthp) said :

So they made a once usable software unusable. Good idea there. It is hard enough to get people to switch to Linux as it is. Then break a software that is important to people that need to vpn. Real nice.

Revision history for this message
ChrisDavaz (cdavaz) said :

This is wrong... and there shouldn't be 'license' issues. openssl is free software. Even there were some issues (about exporting encryption and such) you could make two packages, one with SSL enabled and the other without. VPNC without SSL is useless to me.

Revision history for this message
Daniel Clemente (n142857) said :

The licensing of openssl (http://www.openssl.org/source/license.html) is dual, and both have an advertisement clause like the following:

 * 6. Redistributions of any form whatsoever must retain the following
 * acknowledgment:
 * "This product includes software developed by the OpenSSL Project
 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"

I imagine this is the clause that causes incompatibilities with most other free software. See http://www.gnu.org/philosophy/bsd.html for similar cases.
If OpenSSL switched to the revised BSD license, some problems would be spared.

Revision history for this message
Lucas Campa (lucas-campa) said :

It's a shame. Anyone knows a custom build?

Revision history for this message
Dr D J Clark (djc-online) said :

For custom build see http://www.publishing.ucl.ac.uk/roamnet.html
The RoamNet instructions are exclusive to UCL but you may find the vpnc_0.5.3-1_i386.deb useful.

Can you help with this problem?

Provide an answer of your own, or ask Thomas Bechtold for more information if necessary.

To post a message you must log in.