[kwlug-disc] Easy Software based VPN
unsolicited at swiz.ca
Wed May 7 20:23:42 EDT 2014
If you have users, you have user administration. It is what it is.
Something has to land on the client end; they will have to start/stop
it; thus there is something to explain.
Unless, like I said, you intend an always on solution - which you could
automate. However, as soon as is doesn't work (e.g. no internet
connectivity their end), you will get a call and have to explain something.
It would help us if you could tell us approximately how many users
you're talking about, and for what connectivity. e.g. File sharing vs
e-mail reading to your local e-mail server. And whether this is connect
from anywhere, homes, or a limited number of locations.
The time hardware dedicated devices really shine is site to site. Any
other scenario means users, and thus user learning curve to explain.
You could simplify some of this by having everyone use the same 'keys',
but you'll lose any audit trail in the process. Which may not matter -
if they have a userid/password for file access, that provides your
trail, if how they connected in the first place is not particularly
important. (And once compromised, you'll have to change everyone. e.g.
An employee leaving.)
You could trial this easy enough via OpenVPN and an OpenWRT box or
temporary PC. A vm even. From the trial you could determine the level of
user support required, frequency of use / value, and thus how many $
you're willing to throw at it.
One of the reasons I'll recommend google things over FOSS / in house
stuff some times is because of the richness of internet content / help.
So, for example, google groups and drive has its place (even if hosted
in the U.S. / subject to U.S. snooping) over mailman and dropbox.
So, I can see where there are times that a dedicated 'symantec' (?) vpn
box makes sense over openvpn. Ease of user self-help when they have
problems. e.g. The VPN gui (e.g. symantec?) 'help' choice in the gui.
However, I have heard of cases where the world has moved on from
hardware solutions as initially implemented, making them into boat
anchors. e.g. VPN Clients available for XP, but not Win 7.
Boxes like pfSense, ddwrt, openwrt, etc., are in essence hardware
solution equivalents - regardless of the hardware, some software of some
sort, and thus a user interface, is being run. At least the former will
have a richer / easier security patch / future proof environment.
If you can tell us what resistance you encountered to pfsense, et al,
perhaps we can help. There are, after all, equivalents to every hardware
dedicated device. In the end, it's all software.
No matter what you do, having users connect in an alternate manner is
'different', and thus something to be educated.
Perhaps that's the key here for you - ease of user experience. It's not
about the dedicated hardware back end, but ease of use of the software
client. Perhaps then the OpenVPN paid service makes as much sense as
anything - if the client is as easy to use as any proprietary solution.
Regardless of the back end, it's a one off, so whether it be installing
openvpn on a server or purchasing a hardware solution, six to one, half
a dozen to the other?
On 14-05-07 12:53 PM, Joe Wennechuk wrote:
> I am going to get a hardware device for this purpose. I don't want to
> end up having to support all of the user administration.
> What would be the best low cost hardware VPN for connecting windows
> clients? I am not sure If I want to use Cisco, and their VPN client.
> I was hoping I could find one that can use native windows tools to
> set up the VPN instead of some proprietary client software.
> My higher-ups don't want DDWRT, or PF sense.
>> Date: Mon, 5 May 2014 19:33:04 -0400 From: unsolicited at swiz.ca To:
>> kwlug-disc at kwlug.org Subject: Re: [kwlug-disc] Easy Software based
>> Less reliable? Either she works and you have connectivity, or you
>> don't. Whether client interfaces are user friendly, or encryption
>> is sufficient, is a different story. As is easy of setup, if any.
>> Most of the time, for most of the people, any encryption is more
>> than sufficient. (Anyone so interested probably can't break in any
>> time frame that matters.)
>> Let's remember that OpenVPN is a different beastie than IPSec, the
>> international standard. OpenVPN is more than sufficient most of
>> the time, but I understand there is a point at which it doesn't
>> scale very well. i.e. There is a tipping point where the simplicity
>> of setup of OpenVPN doesn't scale as well/simply, while IPSec is
>> apparently irritatingly complex to set up - but once implemented
>> scales almost endlessly, easily.
>> And there's a cost tradeoff in that too. OpenVPN, cheap or free,
>> IPSec non-trivial cost. In either case, most of the cost is in the
>> admin time to set up / maintain, not the fees charged. (Per user
>> basis.) And with developer fees/costs you get a more refined / user
>> friendly client end. (e.g. As I understand it, the proprietary
>> Cisco VPN solution.)
>> In the end, likely any encryption, even PPTP, will more than
>> suffice. If encryption is even needed. (And even that is less often
>> than commonly thought.)
>> "Due to the major security flaws, there is no good reason to choose
>> PPTP other than device compatibility" - not quite true. PPTP being
>> faster / having lower overhead. But there's a premise here: Is
>> there any real value in your data that people will want to expend
>> time and resources on deciphering? Probably not, particularly when
>> it is only the pipes, not 3rd parties, whom even have access to the
>> data stream. Most of the time, the value of encryption is merely
>> and only that it's not going across the wire clear text. Beyond
>> that, is there anything in your data people are willing to spend $
>> on to discover - well, no encryption will be sufficient for the
>> truly determined. PPTP is probably more than sufficient - but if
>> OpenVPN is as easy to set up and with just as little overhead / CPU
>> requirements, may as well use it. Which to use has less to do with
>> encryption strength / security flaws than just about every other
>> aspect beyond that.
>> On 14-05-05 02:43 PM, CrankyOldBugger wrote:
>>> PPTP is an older, less reliable tech. Use L2TP or, even better,
>>> openVPN. If you go with openVPN (as many people do), be sure to
>>> steer clear of the versions affected by Heartbleed!
>>> There's a comparison of some different types at
>> _______________________________________________ kwlug-disc mailing
>> list kwlug-disc at kwlug.org
> _______________________________________________ kwlug-disc mailing
> list kwlug-disc at kwlug.org
More information about the kwlug-disc