[kwlug-disc] firewall question
cedric at thinkers.org
Tue Feb 17 19:46:42 EST 2009
For a current client, we are using OpenVPN between all the sites (UK,
France, US, Canada, Japan, China, Korea, etc.), and for all roaming
users (a couple hundred).
That being said, the OpenVPN system predates my involvement with the
company -- I've just been participating in supporting it (having been
part of deploying to about 70 users, I have to say that it was a
pleasure to work with). I far prefer it in most respects over Cisco
VPN Client, Secure Remote, PPTP, L2TP and so on.
The user space tools lack some of the polish that you might find in
some of the hard-core commercial products (at least, for Windows and
Mac users. It's right on par with Cisco VPN client under linux
though.), but the capabilities and performance you get in exchange are
very cool (Cisco's bias against multi-hop VPN architectures -- not an
issue. Totally NAT Friendly -- Yes! Super easy to monitor and debug
-- Yes. Low VPN tunnel overhead -- Yes.)
The only thing that I don't like is that it's hard to find it embedded
in an appliance, whereas IPSEC is found in *everything* (and is a
comparative nightmare to debug, is only NAT friendly with proprietary
extensions, and has more complicated routing issues).
In my experience, even a heavy-weight general purpose Linux server
cannot touch the super-low latencies that even basic hardware-
optimized gateways (like Juniper) have. Granted they are fast enough
at turning packets around that it's not *that* big a deal, but there
is "something" about a ultra-low latencies that give everything a
really nice snappy feeling (even if there isn't that much bandwidth).
Bottom line: If running Linux based VPN concentrators/Firewall boxes
is an option for you, then I highly recommend checking OpenVPN out.
I don't really have much to add that's not covered in the online docs
and stuff -- you just create a mini Certificate Authority to generate
certs for your end-points, sort through your particular networking
details to come up with appropriate config files (all per the various
examples and instructions that are available).
On 17-Feb-09, at 7:19 PM, L.D. Paniak wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> unsolicited wrote:
>> e.g. Suppose you set up VPN for a laptop user. And the laptop gets
>> stolen. The issues around the technology become much bigger than the
>> technology itself.
> In OpenVPN, if someone steals a laptop, you just revoke the
> corresponding key (for key-based access) and restart the daemon
> (http://openvpn.net/index.php/documentation/howto.html#quick )
> Since each user has their own key, you can selectively 'turn off'
> without disrupting the whole system. Just make sure your user lets you
> know the laptop is missing in a timely manner!
> OpenVPN is easy to install: It is packaged for any reasonable distro
> there is a customizable Windows system for producing installers that
> MS user would be comfortable with.
> I'm sure you will find plenty of automation goodness to talk about
> you give your OpenVPN talk :)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> -----END PGP SIGNATURE-----
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
| CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services
| 118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-489-0478
Cedric Puddy, IS Director cedric at thinkers.org
PGP Key Available at: http://www.thinkers.org/cedric
More information about the kwlug-disc