[wellylug] Router piercing

Jim Cheetham jim at gonzul.net
Tue Dec 13 13:37:09 NZDT 2005 

On Mon, Dec 12, 2005 at 11:51:23PM +0000, Jamie Dobbs wrote:
> On 12/12/2005, "Jim Cheetham" <jim at gonzul.net> wrote:
> >I agree that "a VPN" is the right answer. But I strongly disagree that
> >IPSec is the right VPN.
> 
>  Would you care to say what you would choose rather than IPSec and why
> you would choose it over IPSec?

I had already identified my preference in a previous post to this
thread. OpenVPN, http://openvpn.net

It stays out of the kernel by utilising the user-space tap/tun drivers,
and encryption is provided by SSL. It also has a whole bunch of other
features, which would probably be beyond the OP's requirements -
certificate based authentication, adaptive compression, endpoint
load-balancing and auto re-establishment of connections.

It doesn't play in the same space as IPSec - it encapsulates the IP
frames, rather than modifies them, and consequently has far less trouble
with dynamic IP and NAT environments.

(Disclaimer - I spent 6 months running a Linux/software IPSec
implementation a couple of years ago. I wasn't very successful. I see
the space where IPSec can be used successfully, and I don't believe it's
where you use a general-purpose computer as an endpoint - such as your
typical Linux box at home)

OpenVPN is pretty easy (for a VPN) to set up and install. If you don't
understand IP networking, setting up any VPN yourself will be difficult,
because you have to make a number of decisions about numbering, routing
and firewall security, as well as authentication policies. But given
that you can figure these out, OpenVPN is easy.

It's also reliable and stable, and runs on "all" OSs - "Linux, Windows
2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris."

I can't answer for any cryptographic criticism of it's selection of
algorithms, but note that the whole job is handed to an external
provider, currently OpenSSL. I know that financial institutions accept
SSL as being adequate for credit-card level transactions, of course. I
don't know how much further trust is given, but I suspect that it's good
enough and not a case for concern :-)

These features are not exclusive to OpenVPN - IPSec covers much of the
same ground. It's just my opinion that IPSec is a terribly difficult
install/configure, and one that has far-reaching and subtle impacts on
your networking environment. Perhaps it's gotten better in the last
couple of years, but I doubt it. 

For personal use, I don't bother with OpenVPN - I'm happy with ad-hoc
ssh tunnels and occasional stunnel usage. These have a low overhead for
setup, but require the user to know a little bit about what they are
doing. I set up OpenVPN for business users, where we can't supportably
anticipate the type of usage the connection will get, but instead
provide a "just like being on the local LAN" service [caveat: except
for bandwidth, and CPU load on the server, that is].

But hey - the whole point of being linux geeks is to learn stuff, right?
So I submit that using OpenVPN to service a wireless LAN, and to provide
server-to-server connections over the Internet, is a good thing to do.

-jim

More information about the wellylug mailing list