1 |
On Tuesday 12 February 2008, Grant wrote: |
2 |
> > Even if you just want to encrypt some clear-text protocol that |
3 |
> > doesn't have an encrypted equivalent, a vpn is still overkill. For |
4 |
> > that you use ssh tunneling (which is essentially the same thing as |
5 |
> > an encrypted version of a protocol). 'ssh -X' is the classic |
6 |
> > example of easily tunneling a protocol that doesn't have a native |
7 |
> > encrypted equivalent. |
8 |
> |
9 |
> I see what you're saying. Can tunneling through ssh be made |
10 |
> automatic so that a cron job initiates a script that opens a tunnel |
11 |
> between the remote server and local print server and pages are |
12 |
> printed through the tunnel? |
13 |
|
14 |
Sure. ssh is just a process after all and in principle encapsulated |
15 |
whatever gets put into it. All you need is a connection that isn't |
16 |
firewalled out and an sshd that is listening to what is coming in. |
17 |
|
18 |
ssh will even port forward for you and can be made to transform any tcp |
19 |
connection to appear to come from whatever port you want. What you put |
20 |
inside the tunnel is up to you. If the print server won't accept what |
21 |
is coming in, then google will find you any number of apps that will |
22 |
mangle the traffic. |
23 |
|
24 |
> > Your statement "it seems like running SSH inside a VPN is better |
25 |
> > for security than running SSH on a non-standard port" is |
26 |
> > non-sensical. From a security and encryption perspective, ssh and |
27 |
> > OpenVPN are exactly the same thing - stuff wrapped in an encryption |
28 |
> > layer provided by ssl, complete with exactly the same key setup |
29 |
> > should you choose to use that route. |
30 |
> |
31 |
> What about having ssh, imap, smtp, cups, and possibly a non-standard |
32 |
> https port all hidden within a VPN? Should that be considered a |
33 |
> benefit of running a VPN? |
34 |
|
35 |
I've filed the original post somewhere else and forgot the scenario :-) |
36 |
Is this a setup you need to be present often or even all the time? If |
37 |
so, you have 5 protocols in use, and setting up tunnels could become |
38 |
cumbersome. You might consider that it's more effort than it's worth |
39 |
and a VPN that is there and JustWorks(tm) is preferable. I would call |
40 |
that a sensible use of a VPN :-) |
41 |
|
42 |
I don't think there's a golden rule about when using a VPN is right or |
43 |
wrong. It's more like "do the advantages outweigh the hassle of setting |
44 |
it up and maintaining it?". Sometimes this answer is obvious, sometimes |
45 |
less so. Sometimes it's a judgement call. |
46 |
|
47 |
Side note: I'm starting to consider that even the most whacky, bizarre |
48 |
and stupid use of OpenVPN is preferable to the heartache and pain |
49 |
involved with trying to get IPSec working as designed.... |
50 |
|
51 |
-- |
52 |
Alan McKinnon |
53 |
alan dot mckinnon at gmail dot com |
54 |
|
55 |
-- |
56 |
gentoo-user@l.g.o mailing list |