[kwlug-disc] firewall question

[Cedric Puddy]

For a current client, we are using OpenVPN between all the sites (UK,  
France, US, Canada, Japan, China, Korea, etc.), and for all roaming  
users (a couple hundred).

That being said, the OpenVPN system predates my involvement with the  
company -- I've just been participating in supporting it (having been  
part of deploying to about 70 users, I have to say that it was a  
pleasure to work with).  I far prefer it in most respects over Cisco  
VPN Client, Secure Remote, PPTP, L2TP and so on.

The user space tools lack some of the polish that you might find in  
some of the hard-core commercial products (at least, for Windows and  
Mac users.  It's right on par with Cisco VPN client under linux  
though.), but the capabilities and performance you get in exchange are  
very cool (Cisco's bias against multi-hop VPN architectures -- not an  
issue.  Totally NAT Friendly -- Yes!  Super easy to monitor and debug  
-- Yes.   Low VPN tunnel overhead -- Yes.)

The only thing that I don't like is that it's hard to find it embedded  
in an appliance, whereas IPSEC is found in *everything* (and is a  
comparative nightmare to debug, is only NAT friendly with proprietary  
extensions, and has more complicated routing issues).

In my experience, even a heavy-weight general purpose Linux server  
cannot touch the super-low latencies that even basic hardware- 
optimized gateways (like Juniper) have.  Granted they are fast enough  
at turning packets around that it's not *that* big a deal, but there  
is "something" about a ultra-low latencies that give everything a  
really nice snappy feeling (even if there isn't that much bandwidth).

Bottom line: If running Linux based VPN concentrators/Firewall boxes  
is an option for you, then I highly recommend checking OpenVPN out.

I don't really have much to add that's not covered in the online docs  
and stuff -- you just create a mini Certificate Authority to generate  
certs for your end-points, sort through your particular networking  
details to come up with appropriate config files (all per the various  
examples and instructions that are available).

	-Cedric


On 17-Feb-09, at 7:19 PM, L.D. Paniak wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> unsolicited wrote:
>
>> e.g. Suppose you set up VPN for a laptop user. And the laptop gets
>> stolen. The issues around the technology become much bigger than the
>> technology itself.
>>
>>
>
> In OpenVPN, if someone steals a laptop, you just revoke the
> corresponding key (for key-based access) and restart the daemon
> (http://openvpn.net/index.php/documentation/howto.html#quick )
>
> Since each user has their own key, you can selectively 'turn off'  
> access
> without disrupting the whole system. Just make sure your user lets you
> know the laptop is missing in a timely manner!
>
> OpenVPN is easy to install: It is packaged for any reasonable distro  
> and
> there is a customizable Windows system for producing installers that  
> any
> MS user would be comfortable with.
>
> I'm sure you will find plenty of automation goodness to talk about  
> when
> you give your OpenVPN talk :)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFJm1QV8h2PnOHbiQcRAg9qAJ0UKjvmpk6De2iC+R1GOURscuO+HgCaA/wj
> k8PKLnJhrhlD1IipczVbbQI=
> =qsHM
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org



|  CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services
|  118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-489-0478
\________________________________________________________
    Cedric Puddy, IS Director            cedric at thinkers.org
      PGP Key Available at:              http://www.thinkers.org/cedric