FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 02-11-2008, 07:41 PM
Grant
 
Default OpenVPN setup

I'm hoping to install openvpn on my remote hosted server. I have
three machines to consider:

1. remote hosted web/mail server
2. local firewall, print server
3. local laptop

I'm hoping to use the vpn in three few ways:

1. imap and smtp between my laptop and the mail server
2. ssh from my laptop to the remote server
3. cups printing from the remote server to the print server

I've been over these guides:

http://gentoo-wiki.com/HOWTO_OpenVPN_primer
http://gentoo-wiki.com/HOWTO_Road_Warriors_with_OpenVPN

It looks like there are plenty of opportunities for me to screw up so
I'm hoping somebody might be able to help when I get stuck.

The second guide deals with bridging and the first does not. Should I
be setting up bridging? The first guide seems simpler. Should I be
OK with that one? I'd hate to dig into one of them and then find out
I should have chosen the other.

- Grant
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-11-2008, 07:53 PM
Alan McKinnon
 
Default OpenVPN setup

On Monday 11 February 2008, Grant wrote:

> The second guide deals with bridging and the first does not. Should
> I be setting up bridging? The first guide seems simpler. Should I
> be OK with that one? I'd hate to dig into one of them and then find
> out I should have chosen the other.
>
> - Grant

IMHO you should always go with routed first, then bridged if you need
it.

Ask yourself this question: do you really need ethernet traffic to go
through the vpn? There are cases where it could be useful, but I'm hard
pressed to find a general case.

With a routed vpn, you work with IP addresses, just like you do on the
internet.

--
Alan McKinnon
alan dot mckinnon at gmail dot com

--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-11-2008, 09:59 PM
"Mike Mazur"
 
Default OpenVPN setup

Hi Grant,

On Tue, Feb 12, 2008 at 5:41 AM, Grant <emailgrant@gmail.com> wrote:
> I'm hoping to use the vpn in three few ways:
>
> 1. imap and smtp between my laptop and the mail server
> 2. ssh from my laptop to the remote server
> 3. cups printing from the remote server to the print server

I don't think you need a VPN to SSH from your laptop to the remote
server -- SSH is already encrypted.

If your laptop is always behind your local firewall, then it should be
sufficient to have an OpenVPN tunnel established between your local
firewall/print server and your remote server. This should allow you to
print.

Configuring the routes on your laptop to go through your local
firewall and VPN to the remote server should allow you to grab your
mail.

If you move around with your laptop then you'll need to establish the
VPN tunnel to your remote server anytime you need to grab your mail
from anywhere else but home (behind your local firewall).

On Tue, Feb 12, 2008 at 5:53 AM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> IMHO you should always go with routed first, then bridged if you need
> it.
>
> Ask yourself this question: do you really need ethernet traffic to go
> through the vpn? There are cases where it could be useful, but I'm hard
> pressed to find a general case.
>
> With a routed vpn, you work with IP addresses, just like you do on the
> internet.

As Alan said, try going with routed first.

Also, think about whether you really need this. As mentioned above,
SSH doesn't need to be tunneled over a VPN. IMAP and SMTP can be
encrypted too. That leaves printing, for which you could use VPN.

Have fun!
Mike
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-11-2008, 10:11 PM
Grant
 
Default OpenVPN setup

> > I'm hoping to use the vpn in three few ways:
> >
> > 1. imap and smtp between my laptop and the mail server
> > 2. ssh from my laptop to the remote server
> > 3. cups printing from the remote server to the print server
>
> I don't think you need a VPN to SSH from your laptop to the remote
> server -- SSH is already encrypted.

For sure, but it seems like running SSH inside a VPN is better for
security than running SSH on a non-standard port or even port
knocking. If I need to set up a VPN for printing, shouldn't I use it
for other stuff too? Maybe not, I have yet to actually use a VPN so
please correct me if I'm wrong.

> If your laptop is always behind your local firewall, then it should be
> sufficient to have an OpenVPN tunnel established between your local
> firewall/print server and your remote server. This should allow you to
> print.
>
> Configuring the routes on your laptop to go through your local
> firewall and VPN to the remote server should allow you to grab your
> mail.
>
> If you move around with your laptop then you'll need to establish the
> VPN tunnel to your remote server anytime you need to grab your mail
> from anywhere else but home (behind your local firewall).

Ah, tunnels, OK. I need to think in terms of tunnels. I'll
definitely be moving around and won't be behind my local firewall too
much of the time. Can I set up the openvpn server on my remote system
and keep a tunnel open between it and the firewall/print server for
printing, and also initiate a tunnel between the laptop and the remote
system whenever I need to mail or SSH? Does that sound like a good
plan?

- Grant


> > IMHO you should always go with routed first, then bridged if you need
> > it.
> >
> > Ask yourself this question: do you really need ethernet traffic to go
> > through the vpn? There are cases where it could be useful, but I'm hard
> > pressed to find a general case.
> >
> > With a routed vpn, you work with IP addresses, just like you do on the
> > internet.
>
> As Alan said, try going with routed first.
>
> Also, think about whether you really need this. As mentioned above,
> SSH doesn't need to be tunneled over a VPN. IMAP and SMTP can be
> encrypted too. That leaves printing, for which you could use VPN.
>
> Have fun!
> Mike
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-11-2008, 10:51 PM
"Mike Mazur"
 
Default OpenVPN setup

Hi Grant,

On Tue, Feb 12, 2008 at 8:11 AM, Grant <emailgrant@gmail.com> wrote:
> > > I'm hoping to use the vpn in three few ways:
> > >
> > > 1. imap and smtp between my laptop and the mail server
> > > 2. ssh from my laptop to the remote server
> > > 3. cups printing from the remote server to the print server
> >
> > I don't think you need a VPN to SSH from your laptop to the remote
> > server -- SSH is already encrypted.
>
> For sure, but it seems like running SSH inside a VPN is better for
> security than running SSH on a non-standard port or even port
> knocking. If I need to set up a VPN for printing, shouldn't I use it
> for other stuff too? Maybe not, I have yet to actually use a VPN so
> please correct me if I'm wrong.

There are other ways to make SSH more "secure". For example, you could
only enable PubkeyAuthentication while disabling all other methods of
Authentication, then use a large (4096-bit?) key pair with a strong
passphrase[1] and use keychain[2] so you don't have to type in the
passphrase all the time. OK, I'm exaggerating a bit with those
passwords from GRC, but you get the idea.

[1] https://www.grc.com/passwords.htm
[2] http://www.gentoo.org/proj/en/keychain/

Also keep in mind the added overhead with OpenVPN -- your encrypted
SSH traffic is again encrypted by the VPN.

> > If your laptop is always behind your local firewall, then it should be
> > sufficient to have an OpenVPN tunnel established between your local
> > firewall/print server and your remote server. This should allow you to
> > print.
> >
> > Configuring the routes on your laptop to go through your local
> > firewall and VPN to the remote server should allow you to grab your
> > mail.
> >
> > If you move around with your laptop then you'll need to establish the
> > VPN tunnel to your remote server anytime you need to grab your mail
> > from anywhere else but home (behind your local firewall).
>
> Ah, tunnels, OK. I need to think in terms of tunnels. I'll
> definitely be moving around and won't be behind my local firewall too
> much of the time. Can I set up the openvpn server on my remote system
> and keep a tunnel open between it and the firewall/print server for
> printing, and also initiate a tunnel between the laptop and the remote
> system whenever I need to mail or SSH? Does that sound like a good
> plan?

Yep, that should work. With a 'permanent' tunnel established between
your remote server and your local firewall/print server, you'll always
have access to those too simply by connecting via VPN to your remote
server. You can print from your laptop to your printer at home while
overseas, for example.

Mike
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-11-2008, 11:00 PM
Grant
 
Default OpenVPN setup

> > > > I'm hoping to use the vpn in three few ways:
> > > >
> > > > 1. imap and smtp between my laptop and the mail server
> > > > 2. ssh from my laptop to the remote server
> > > > 3. cups printing from the remote server to the print server
> > >
> > > I don't think you need a VPN to SSH from your laptop to the remote
> > > server -- SSH is already encrypted.
> >
> > For sure, but it seems like running SSH inside a VPN is better for
> > security than running SSH on a non-standard port or even port
> > knocking. If I need to set up a VPN for printing, shouldn't I use it
> > for other stuff too? Maybe not, I have yet to actually use a VPN so
> > please correct me if I'm wrong.
>
> There are other ways to make SSH more "secure". For example, you could

But what's wrong with this one? Honestly though, why would any of
those methods be preferred to openvpn?

> only enable PubkeyAuthentication while disabling all other methods of
> Authentication, then use a large (4096-bit?) key pair with a strong
> passphrase[1] and use keychain[2] so you don't have to type in the
> passphrase all the time. OK, I'm exaggerating a bit with those
> passwords from GRC, but you get the idea.
>
> [1] https://www.grc.com/passwords.htm
> [2] http://www.gentoo.org/proj/en/keychain/
>
> Also keep in mind the added overhead with OpenVPN -- your encrypted
> SSH traffic is again encrypted by the VPN.

Is this significant? Would my SSH latency be increased, the system
slowed down, or both?

> > > If your laptop is always behind your local firewall, then it should be
> > > sufficient to have an OpenVPN tunnel established between your local
> > > firewall/print server and your remote server. This should allow you to
> > > print.
> > >
> > > Configuring the routes on your laptop to go through your local
> > > firewall and VPN to the remote server should allow you to grab your
> > > mail.
> > >
> > > If you move around with your laptop then you'll need to establish the
> > > VPN tunnel to your remote server anytime you need to grab your mail
> > > from anywhere else but home (behind your local firewall).
> >
> > Ah, tunnels, OK. I need to think in terms of tunnels. I'll
> > definitely be moving around and won't be behind my local firewall too
> > much of the time. Can I set up the openvpn server on my remote system
> > and keep a tunnel open between it and the firewall/print server for
> > printing, and also initiate a tunnel between the laptop and the remote
> > system whenever I need to mail or SSH? Does that sound like a good
> > plan?
>
> Yep, that should work. With a 'permanent' tunnel established between
> your remote server and your local firewall/print server, you'll always
> have access to those too simply by connecting via VPN to your remote
> server. You can print from your laptop to your printer at home while
> overseas, for example.

Nice, thanks Mike.

- Grant
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-12-2008, 12:44 AM
Dan Farrell
 
Default OpenVPN setup

On Mon, 11 Feb 2008 16:00:49 -0800
Grant <emailgrant@gmail.com> wrote:

> You can print from your laptop to your printer at home while
> > overseas, for example.

Sounds very convenient ; )
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-12-2008, 04:48 AM
"W.Kenworthy"
 
Default OpenVPN setup

I do this with my work printer - the printer is locked down to a local
network - I can print from locked out offices/labs anywhere (and even
from home, picking up the printouts when I arrive - convenient!)

I also transfer sometimes large files (using scp) and run ssh sessions
and imap/smtp mail all through the same tunnel(s) - I actually use two
in series with a convenient host in between to get around some local
routing issues. All can be transparent and just work. scp can
sometimes be a pain with slow speeds but its dependent on network
conditions external to the tunnel - i.e., some external conditions cause
interactions that affect packet sizes/latency within the tunnel - doesnt
happen often though.

Routing is often an issue (particularly to networks a few hops away on
the "inside") - ospf (quagga) was the solution, though RIP is probably
easier/better for this

The downside - gentoos openvpn and networking design is ok for simple
setups, but has to be overidden when getting complex. Can be "fragile"
when design changes are taking place - breaks when you least expect it
like when they introduced the bind flag into the init.d script (grrrrr)

Note that you need sympathetic or pliable IT staff if its a workplace -
helps to have them onside if you are going to bypass their security
policies for your own benefit!

BillK


On Mon, 2008-02-11 at 19:44 -0600, Dan Farrell wrote:
> On Mon, 11 Feb 2008 16:00:49 -0800
> Grant <emailgrant@gmail.com> wrote:
>
> > You can print from your laptop to your printer at home while
> > > overseas, for example.
>
> Sounds very convenient ; )
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-12-2008, 11:56 AM
Alan McKinnon
 
Default OpenVPN setup

On Tuesday 12 February 2008, Grant wrote:
> > I don't think you need a VPN to SSH from your laptop to the remote
> > server -- SSH is already encrypted.
>
> For sure, but it seems like running SSH inside a VPN is better for
> security than running SSH on a non-standard port or even port
> knocking. *If I need to set up a VPN for printing, shouldn't I use it
> for other stuff too? *Maybe not, I have yet to actually use a VPN so
> please correct me if I'm wrong.

The name tells you everything you need to know.

vpn is Virtual Private *Network*. If you would normally have a dedicated
line between this place and that place to form a network, but this is
too expensive so you use the internet instead, then you use a vpn. Why?
Because the internet is a public pathway and you don't want your stuff
out in the open.

If you want a client machine somewhere to connect to a server machine
somewhere else, then this is normal internet connectivity and vpn is
the wrong thing. If you want the client machine to be part of the same
network the server is on so that lots of stuff works the way it does in
the office itself, then vpn is the correct thing.

Even if you just want to encrypt some clear-text protocol that doesn't
have an encrypted equivalent, a vpn is still overkill. For that you use
ssh tunneling (which is essentially the same thing as an encrypted
version of a protocol). 'ssh -X' is the classic example of easily
tunneling a protocol that doesn't have a native encrypted equivalent.

Your statement "it seems like running SSH inside a VPN is better for
security than running SSH on a non-standard port" is non-sensical. From
a security and encryption perspective, ssh and OpenVPN are exactly the
same thing - stuff wrapped in an encryption layer provided by ssl,
complete with exactly the same key setup should you choose to use that
route.

--
Alan McKinnon
alan dot mckinnon at gmail dot com

--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-12-2008, 01:42 PM
Etaoin Shrdlu
 
Default OpenVPN setup

On Tuesday 12 February 2008, Alan McKinnon wrote:

> Your statement "it seems like running SSH inside a VPN is better for
> security than running SSH on a non-standard port" is non-sensical.
> From a security and encryption perspective, ssh and OpenVPN are
> exactly the same thing - stuff wrapped in an encryption layer provided
> by ssl, complete with exactly the same key setup should you choose to
> use that route.

Perhaps confusingly, ssh itself can be used to create openVPN-like VPNs
(actually, much simpler), using the -w option and a couple of tun (or
tap) interfaces on the connected computers.
--
gentoo-user@lists.gentoo.org mailing list
 

Thread Tools




All times are GMT. The time now is 07:53 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org