| 1 |
On Tuesday 12 February 2008, Grant wrote: |
| 2 |
> > Even if you just want to encrypt some clear-text protocol that |
| 3 |
> > doesn't have an encrypted equivalent, a vpn is still overkill. For |
| 4 |
> > that you use ssh tunneling (which is essentially the same thing as |
| 5 |
> > an encrypted version of a protocol). 'ssh -X' is the classic |
| 6 |
> > example of easily tunneling a protocol that doesn't have a native |
| 7 |
> > encrypted equivalent. |
| 8 |
> |
| 9 |
> I see what you're saying. Can tunneling through ssh be made |
| 10 |
> automatic so that a cron job initiates a script that opens a tunnel |
| 11 |
> between the remote server and local print server and pages are |
| 12 |
> printed through the tunnel? |
| 13 |
|
| 14 |
Sure. ssh is just a process after all and in principle encapsulated |
| 15 |
whatever gets put into it. All you need is a connection that isn't |
| 16 |
firewalled out and an sshd that is listening to what is coming in. |
| 17 |
|
| 18 |
ssh will even port forward for you and can be made to transform any tcp |
| 19 |
connection to appear to come from whatever port you want. What you put |
| 20 |
inside the tunnel is up to you. If the print server won't accept what |
| 21 |
is coming in, then google will find you any number of apps that will |
| 22 |
mangle the traffic. |
| 23 |
|
| 24 |
> > Your statement "it seems like running SSH inside a VPN is better |
| 25 |
> > for security than running SSH on a non-standard port" is |
| 26 |
> > non-sensical. From a security and encryption perspective, ssh and |
| 27 |
> > OpenVPN are exactly the same thing - stuff wrapped in an encryption |
| 28 |
> > layer provided by ssl, complete with exactly the same key setup |
| 29 |
> > should you choose to use that route. |
| 30 |
> |
| 31 |
> What about having ssh, imap, smtp, cups, and possibly a non-standard |
| 32 |
> https port all hidden within a VPN? Should that be considered a |
| 33 |
> benefit of running a VPN? |
| 34 |
|
| 35 |
I've filed the original post somewhere else and forgot the scenario :-) |
| 36 |
Is this a setup you need to be present often or even all the time? If |
| 37 |
so, you have 5 protocols in use, and setting up tunnels could become |
| 38 |
cumbersome. You might consider that it's more effort than it's worth |
| 39 |
and a VPN that is there and JustWorks(tm) is preferable. I would call |
| 40 |
that a sensible use of a VPN :-) |
| 41 |
|
| 42 |
I don't think there's a golden rule about when using a VPN is right or |
| 43 |
wrong. It's more like "do the advantages outweigh the hassle of setting |
| 44 |
it up and maintaining it?". Sometimes this answer is obvious, sometimes |
| 45 |
less so. Sometimes it's a judgement call. |
| 46 |
|
| 47 |
Side note: I'm starting to consider that even the most whacky, bizarre |
| 48 |
and stupid use of OpenVPN is preferable to the heartache and pain |
| 49 |
involved with trying to get IPSec working as designed.... |
| 50 |
|
| 51 |
-- |
| 52 |
Alan McKinnon |
| 53 |
alan dot mckinnon at gmail dot com |
| 54 |
|
| 55 |
-- |
| 56 |
gentoo-user@l.g.o mailing list |
Archives