Sign in with
Sign up | Sign in
Your question

A DIY SSL VPN with SSL-Explorer - Part 1

Last response: in Toms Network
Share
July 21, 2006 2:32:44 PM

SSL-based VPNs are fast replacing difficult-to-configure IPsec and PPTP gateways. In Part 1 of a two part series, Phillip Howell shows you how to turn a spare Windows PC into a pretty slick SSL VPN server.

Speak out in the Tom's Networking reader survey!
July 25, 2006 3:21:04 PM

Great article! I tried the SSL Explorer out on a Virtual PC, and on a home PC.

One thing I noticed....I had to copy the tools.jar file to the Java directory as well, or the "ant install" command would return an error (compile and install would complete just fine regardless, but would cause an issue later). Anyone else see this issue?

LA.
July 25, 2006 5:28:11 PM

I've had similar problems but even moving tools.jar to the /Java/lib directory did not help. The main install seemed to go fine, but when I tried 'ant install-service' I get the error message 'Buildfile: build.xml does not exist. Build failed'. I get the same error with 'ant start'.

I'm a total newbie to all this, so I'd appreciate if anyone has any other suggestions for getting SSL Explorer up and running.

Win2k SP4
Athlon 2500+
I MB RAM
Biostar Ideq N200

Thanks.
July 25, 2006 6:47:27 PM

Be sure your path statements and environment variables are set up correctly. And pay attention to the error you get when it cannot find the jar file...it will tell you where it expects to find the tools.jar.

Btw, once you copy the jar file to the correct location, you can run the "ant install" again, and it will do a watered-down install...simply confirming your pre-existing config options and giving you the chance to install other extensions.

LA.
July 25, 2006 7:28:15 PM

Thanks lajams.

The error message says it's expecting to find 'tools.jar' in the C:\Program Files\Java\jre1.5.0_7\lib\tools.jar directory. This looks like it's expecting a directory called 'tools.jar'.

Anyway I tried it by putting tools.jar in the C:\Program Files\Java\jre1.5.0_7\lib directory and also by creating a new subdirectory below that called 'tools.jar' and tried that too. Both seem to result in the 'unable to locate tools.jar' message disappearing but I still get the original error message about 'build.xml' not existing.

I also tried putting tools.jar in the 'Ant' directory as the article had said and it still doesn't work.

I'm pretty sure my environment variables are set up correctly, and I think the fact that the 'ant install' command worked shows that (no?).

So I'm confused. I'm getting error messages, and the explanatory error message about 'ant' suggests that the instructions in the article about where to put 'tools.jar' are incorrect.

Does anyone know the answer?

Thanks,
July 25, 2006 7:40:24 PM

pipkato,

Make sure you are in the SSL Explorer main directory when you run the ant commands (the ant commands will look for the build.xml file in the current directory)....lajams is right about the environment variables as well....Double check the environment variables to make sure that they are correct....you can echo %PATH% to check the PATH variable on Windows...be sure and watch for part 2 of the article which walks through setting up TightVNC access to your PCs through SSL Explorer...

kernelpacket
July 25, 2006 7:47:26 PM

pipkato,

The tools.jar file should actually be copied to the "lib" subdirectory (not a tools.jar subdirectory) of the JRE. This location is where ANT and SSL Explorer will look for tools.jar. So the error message you receive is actually correct. This should fix your problem.

kernelpacket
July 25, 2006 7:51:08 PM

Hello,

Just to say that I was able to make the 'ant install-service' and 'ant start' command to work, but only after CDing to the 'sslexplore-0.2.4' directory. So I presume I've done something wrong in my environment variables or my PATH command.

Anyway SSL Explorer is working fine now.

Thanks,
July 25, 2006 8:27:43 PM

Quote:
The tools.jar file should actually be copied to the "lib" subdirectory (not a tools.jar subdirectory) of the JRE. This location is where ANT and SSL Explorer will look for tools.jar. So the error message you receive is actually correct. This should fix your problem.

The error on page 4 of the article that kernelpacket referred to has been fixed. Specifically:

Then copy tools.jar from C:\Program
Files\sslexplorer-0.2.4\sslexplorer\lib to C:\Program
Files\Apache ANT\apache-ant-1.6.5\lib folder.


Has been changed to:

Then copy tools.jar from C:\Program
Files\sslexplorer-0.2.4\sslexplorer\lib to C:\Program
Files\JAVA\jre1.5.0_07\lib
folder.


We apologize for the error.
July 25, 2006 8:27:50 PM

lajams,

Thanks for the heads up...I have included a link to the actual thread below:

http://sourceforge.net/forum/forum.php?thread_id=151422...

Apparently, the tools.jar copy step should not be necessary if you install the JDK instead of the JRE. Also, apparently tools.jar is apparently needed primarily by Apache ANT. The SSL Explorer guys include it as a timesaver with the SSL Explorer distro in case you just have the JRE installed so that JAVA source will compile correctly.

kernelpacket
July 25, 2006 9:23:03 PM

Now that I have SSL Explorer up and running can anyone point me at a URL with info on how to try it out. I've had look at the PDF manual and could not make sense of it. It seems to have been written with the more experienced user in mind.

I know almost nothing about networks, and just want to use SSL Explorer for remote access. I've been able to set up an extra user, but can't understand how to help that user get onto my machine.

Should I be able to access it from a different machine on my network too? If so how do I do this? All I can see is that I have to use:

'https://(something here - an IP address?):443 (or whatever port I selected)'

Is this correct? If so what goes in the bracketed area? And what is all this stuff about 'certificates' that are trusted and untrusted? Will it work with the default setup outlined in the article.

Apologies to all those who understand these matters for what must seem like some incredibly basic questions.
July 25, 2006 9:28:02 PM

I didn't realise until after my last posting that my earlier question had generated so much traffic and suggestions, and that the page has since been corrected.

Thanks to all who offered their help.
July 26, 2006 2:40:30 PM

pipkato,

In response to your questions:

Yes, you should be able to use https://ipaddressofyourmachine to login to your machine from any other machine on your network....Port 443 is automatically assumed unless you specify differently....

Yes, the setup in the article will work. If the stuff in the PDF manuals is a little confusing then be sure and check out part 2 of the article which should be coming soon...Part 2 will explain how to take SSL Explorer and use it as a secure conduit to allow you to remotely control your PC with another open source tool called TightVNC...

Regarding certificates...A trusted certificate just means that you have paid a certificate authority (a CA like Verisign for example) to verify the authenticity of your certificate (i.e. that your site is exactly who it claims to be)...An untrusted certificate is just a certificate that you create on your own...For operational purposes of SSL Explorer either type of certificate is acceptable...

kernelpacket
July 26, 2006 7:18:47 PM

Thanks a lot kernelpacket. I'll have to read up some more on Trusted certificates.

Unfortunately the machine I set SSL Explorer up on is on my network but behind a Linksys wireless router and I couldn't access it. In fact since I put in this Linksys, I haven't been able to a access other machines on my network either. Something else to be sorted :D  .

Do I understand from what you say that at present I can't access the SSL Server from another machine over the internet, and that I need the applications and information from Part 2 of the article to achieve this remote access?

Thanks.
July 27, 2006 5:56:48 PM

Do I understand from what you say that at present I can't access the SSL Server from another machine over the internet, and that I need the applications and information from Part 2 of the article to achieve this remote access?

Thanks.[/quote]

You probably read Part 2 already, but you will have to configure your router to forward port 443 requests to your SSL Explorer PC on your network. Then you will be able to connect from the Internet. :) 

LA.
July 27, 2006 6:51:39 PM

Thanks lajams,

No, I hadn't read Part 2, and didn't even know it was available yet. But just found it now, thanks.
July 28, 2006 12:24:03 AM

.............nEXT Extension Issue...........


Hi guys,

We got everything updated now and stepped through this document to configure our server Seems like the Win2000 server we're running SSLExplorer on is having problems routing packets still. EVEN AFTER setting the "IPEnableRouter = 1" is set and the LAN server we're trying to PING has a static route set for the ssl network address.

After establishing a connection of the client to SSL server here's what
we are now stuck with.


>CLIENT:
>nEXT Adapter IP: 192.168.70.2
>PINGS FROM SSL CLIENT
>PING 192.168.70.1 OK
>PING 192.168.1.35 FAILS

>SSL SERVER:
>Server nEXT adapter IP:192.168.70.1
>Server LAN IP: 192.168.1.27
>PINGS FROM SSL SERVER
>PING 192.168.1.35 OK
>PING 192.168.70.2 OK

>LAN TEST SERVER:
>Test LAN W2k server IP: 192.168.1.35 {with static route ROUTE ADD
>192.168.70.0 MASK 255.255.255.0 192.168.1.27} PINGS FROM Test LAN W2k
>server:
>PING 192.168.1.27 OK
>PING 192.168.70.1 OK
>PING 192.168.70.2 FAILS


Is there anything else special to get SSL Explorer working properly on a Win2000 server? Routing and Remote Admin service is disabled and if I try to enable it and see if it helps SSL fails to start.

Not sure what else to try. Any ideas?
I think we're very close here.
July 28, 2006 12:45:17 AM

Hi vinsoy,

Very important....Check and see if IIS webserver is running on Win 2000 machine....If it is then it will bind to port 443 (HTTPS) and not allow SSL Explorer to attach to and listen for connections on port 443...

kernelpacket
July 28, 2006 1:09:05 AM

thanks kernelpacket i will take a look on it....

do you have an idea why i can't start the "SERVER INTERFACE" i created.

the error msg was> Failed to start interface 192.168.70.0/24. Failed to allocate channel: too many active channels


this is the logs i got :

09:02:05 INFO nEXTSessionManager - Starting server interface 1
09:02:05 INFO nEXTSessionManager - Server interface 1 provides network 192.168.70.0/24
09:02:05 INFO nEXTSessionManager - Retreiving reservation for localhost.192.168.70.0/24
09:02:05 INFO nEXTSessionManager - Creating server node using address 192.168.70.1 and MAC address 00:FF:D A:08:F4:97
09:02:05 ERROR NetworkExtensionPlugin - Failed to start session manager 192.168.70.0/24
August 1, 2006 3:18:13 PM

hi everyone!

finish setting up the server, I have everything up and running but when I create a new user the status shows that it is incative and when I try to login using that account I get the message "Failed to logon. You do not have permission to logon." what could be the problem?

thanks
August 2, 2006 9:09:34 PM

After I put in my password, TightVNC viewer window
opens and within the TightVNC viewer window, it looks
like multiple windows are opening. I'm using TightVNC
server version 1.3dev7, viewer version 3.3.3r3 with
Windows XP. Any help would be greatly appreciated.
Thanks. This is what my problem looks like.
[/img]
August 4, 2006 7:58:23 PM

rainmaker173,

Make sure you have logged in as the "super user" you created first and "activate" the user that you created...Should then allow you to logon...

kernelpacket
August 4, 2006 8:01:36 PM

trike203,

What you are experiencing is the "loopback" effect...What happens is that you are trying to control the same machine via the VNC client on which you are currently operating...Login via another machine on your network (a laptop for example) and you should not experience this behavior...This behavior is very much akin to a "feedback" loop in the world of audio...

kernelpacket
August 5, 2006 4:39:28 AM

I installed on one box just fine then when I installed on my second box A the window does not pop up after the build I have to access it by typing 192.168.0.5...... and so on. When i get to the "Install other extensions" screen it says there are no extensions available. Second after i make sure the router is set up and the server is online I am not able to access sslexplorer window anymore with 192.168.0.5..... or localhost?????

justin
August 12, 2006 7:03:27 PM

It seems Part 1 of the article finishes very abruptly (I can only see 3 pages). I've been running the setup of SSLExplorer and there is so much configuration after the install that it seems odd for the author to have left it out. Just checking if there is something wrong with the article (ie somehow getting cut-off) or if the author intended us to figure out how to set-up up SSLExplorer to the point where we can pick up Part 2.
Thanks!
August 12, 2006 9:15:18 PM

other articles are broken as well, here page four. it seems to be a db issue.
August 17, 2006 2:42:36 AM

I set up everything and it appears to be working correctly but when I try to remotely access the server, it wont forward to the computer with the SSL explorer...it keeps going to my router setup page by default...this is really annoying! What am I doing wrong??? TIA
August 17, 2006 12:53:31 PM

I downloaded Java "jre-1_5_0_08-windows-i586-p-iftw.exe", Apache ANT "apache-ant-1.6.5-bin.zip" and SSL Explorer "sslexplorer-0.2.7_02-src.zip".

Are these the right programs that I have downloaded?

I installed Java and then extracted Apache ANT into Program Files. Then I set the Environment Variables as follows:

Variable Name: ANT_HOME
Variable Value: %PATH%;%JAVA_HOME%\bin C:\Program Files\Apache ANT\apache-ant-1.6.5

Variable Name: JAVA_HOME
Variable Value: C:\Program Files\Java\jre1.5.0_08

Are these setup correctly?

Then I open up cmd and type in: "cd C:\Program Files\sslexplorer-0.2.7" After I got into this directory, I type in "ant install" but it returns " 'ant' is not recoginzed as an internal or external command, operable program or batch file." What's wrong with my procedures? Anyone know?
August 19, 2006 4:47:01 AM

Quote:

Then I open up cmd and type in: "cd C:\Program Files\sslexplorer-0.2.7" After I got into this directory, I type in "ant install" but it returns " 'ant' is not recoginzed as an internal or external command, operable program or batch file." What's wrong with my procedures? Anyone know?

I had the same problem and it was resolved after rebooting. I guess new system variables are not automatically loaded.
September 7, 2006 7:53:24 PM

I have the same problem surfboarder and lancemuz reported ('ant' is not recognized as...) but in my case, even after rebooting, the problem persists - 'ant' is not recognized as a command. If anyone has solved this problem, I will appreciate the help.
September 22, 2006 2:48:45 PM

tradesman,

Your problem with your box not being able to find ant sounds like it may not have been installed to the correct directory. It you setup the system variables just like they are described in the article then you will have to unzip the ant application into a new directory C:\Program Files\Apache ANT. Notice, you have to create this directory as it is not created automatically and then unzip the "ant.zip" file into that location. Only then will the variables work and will your machine be able to "find" ant.

KernelPacket
September 22, 2006 2:56:37 PM

To all of you who have installed SSL Explorer...

3sp.com (the developer of SSL Explorer) has now made available a non-commercial (home/academic) license for the Enterprise edition of SSL Explorer. A significant difference between this edition and the Community edition is that although the Community edition is free it only provides port forwarding services. The Enterprise edition on the other hand includes a full blown network connection (just like an IPsec VPN client). This nEXT technology from 3sp allows your PC to behave just as if it were connected locally to the remote network. 3sp.com has set the price for this license @ $99USD. A true bargain indeed.

KernelPacket
September 28, 2006 12:06:52 PM

James said:
Quote:
I thuroughly enjoyed both parts of your article about SSL Explorer. I have tried to install it, but it fails to launch my browser and I cannot manually open the port in the browser. My last few lines in the command prompt differ from your screenshot. They look like:

install:

[java] String indexx out of range: -1

[java] java result: 2

BUILD SUCCESSFUL

I am using the same if not later versions of everything you have used. Do you have any suggestions for me?

Thanks for the great article!
November 20, 2006 2:20:17 PM

For your information this article is completely out of date. 3SP has released an executable installation program. There is no longer any need to complile java script. I wasted several hours trying to understand this, so hopefully this post helps others out.

Peace, Rolland
!