| 1 |
On Sunday 14 May 2017 11:35:29 Kai Krakow wrote: |
| 2 |
> Am Sun, 14 May 2017 09:52:41 +0100 |
| 3 |
> |
| 4 |
> schrieb Mick <michaelkintzios@×××××.com>: |
| 5 |
> > On Saturday 13 May 2017 23:58:17 R0b0t1 wrote: |
| 6 |
> > > I had some problems setting up OpenVPN that were solved by using |
| 7 |
> > > per-client public keys. That seems to be the best supported |
| 8 |
> > > configuration (as well as the most secure). Windows-side using |
| 9 |
> > > OpenVPN-GUI is very easy. |
| 10 |
> > > |
| 11 |
> > > OpenVPN tends to have poor bandwidth due to overhead, but that may |
| 12 |
> > > be in large part due to my connection. |
| 13 |
> > |
| 14 |
> > OpenVPN is not the most efficient VPN implementation for connections |
| 15 |
> > to a server because it is not multithreaded |
| 16 |
> |
| 17 |
> Probably true but it works well here for connections of up to 100 MBit. |
| 18 |
|
| 19 |
It can work well for well above that throughput, but the limitation is the |
| 20 |
tun/tap mechanism and the CPU of the device/PC it is running on. |
| 21 |
|
| 22 |
|
| 23 |
> > and also because unlike |
| 24 |
> > IKE/IPSec it operates in userspace, not in kernelspace. |
| 25 |
> |
| 26 |
> IPsec also doesn't work without help from userspace processes. |
| 27 |
|
| 28 |
Sure, but this is only for managing the (re)keying process, which BTW takes |
| 29 |
longer with IKE than with OpenVPN (we're talking about milliseconds here). |
| 30 |
Once the keys have been agreed and set up between peers the rest happens |
| 31 |
exceedingly fast in kernelspace, managed as a network layer interface (L3). I |
| 32 |
recall seeing IPSec tunnels running 10 times faster than OpenVPN, being |
| 33 |
processed even faster than VLAN trunking, but this is very much dependent on |
| 34 |
the resources of the device running the tunnel. |
| 35 |
|
| 36 |
|
| 37 |
> But I |
| 38 |
> see what you mean: With OpenVPN, traffic bounces between kernel and |
| 39 |
> userspace multiple times before leaving the machine. But I don't really |
| 40 |
> see that as a problem for the scenario OpenVPN is used in: It best fits |
| 41 |
> with dial-up connections which are really not gigabit yet. For this, |
| 42 |
> performance overhead is almost zero. |
| 43 |
|
| 44 |
Yes, at dial-up throughput even a smart phone has enough resources to manage |
| 45 |
OpenVPN without it becoming a constraint. |
| 46 |
|
| 47 |
|
| 48 |
> IPsec can be a big pita if NAT is involved. For Windows client, L2TP |
| 49 |
> may be a good alternative. |
| 50 |
|
| 51 |
IKE/IPSec uses NAT-Traversal (NAT-T) by encapsulating ESP packets within UDP |
| 52 |
over port 4500. This will allow clients to initiate a connection with the |
| 53 |
server over port 500 and then switch to 4500 as part of NAT-T detection. |
| 54 |
Trivia: many routers/VPN concentrators use Vendor ID strings to determine if |
| 55 |
the remote peer can implement NAT-T among other attributes to shorten this |
| 56 |
NAT-T detection process. |
| 57 |
|
| 58 |
Of course the server will have to be accessible over port 500 for the clients |
| 59 |
to be able to get to it, but this is a port forwarding/DMZ network |
| 60 |
configuration exercise at the server end. |
| 61 |
|
| 62 |
|
| 63 |
> > > > The ftp server already doesn't allow unencrypted connections. |
| 64 |
> > > > |
| 65 |
> > > > Now try to explain to ppl for whom Filezilla is too complicated |
| 66 |
> > > > how to set up a VPN connection and how to secure their LAN once |
| 67 |
> > > > they create the connection (if we could ever get that to work). |
| 68 |
> > > > I haven't been able to figure that out myself, and that is one of |
| 69 |
> > > > the main reasons why I do not have a VPN connection but use ssh |
| 70 |
> > > > instead. The only disadvantage is that I can't do RDP sessions |
| 71 |
> > > > with that --- I probably could and just don't know how to --- |
| 72 |
> > > > but things might be a lot easier if wireguard works. |
| 73 |
> > |
| 74 |
> > If the users are helpless then you may be better configuring a VPN |
| 75 |
> > tunnel between their Internet gateway and the server, so they can |
| 76 |
> > access the server as if it were a local share, or using the built in |
| 77 |
> > ftp client that MSWindows comes with. SMB will work securely in this |
| 78 |
> > case too. |
| 79 |
> |
| 80 |
> This is what I would recommend, too. Put the VPN endpoints on the |
| 81 |
> network edges and no clients needs to worry: They just use the |
| 82 |
> connection. |
| 83 |
|
| 84 |
If there is a large number of client PCs this is the only sane solution. |
| 85 |
|
| 86 |
|
| 87 |
> > [...] |
| 88 |
> > |
| 89 |
> > > > I'm finding it a horrible nightmare, see above. It is the most |
| 90 |
> > > > difficult thing you could come up with. I haven't found any good |
| 91 |
> > > > documentation that explains it, the different types of it, how it |
| 92 |
> > > > works, what to use (apparently there are many different ways or |
| 93 |
> > > > something, some of which require a static IP on both ends, and |
| 94 |
> > > > they even give you different disadvantages in performance ...), |
| 95 |
> > > > how to protect the participants and all the complicated stuff |
| 96 |
> > > > involved. So far, I've managed to stay away from it, and I |
| 97 |
> > > > wouldn't know where to start. Of course, there is some |
| 98 |
> > > > documentation, but it is all confusing and no good. |
| 99 |
> > > |
| 100 |
> > > Feel free to start a thread on it. As above, I recommend |
| 101 |
> > > one-key-per-client and running your own CA. |
| 102 |
> |
| 103 |
> I wouldn't recommend running your own CA because you will have to |
| 104 |
> deploy a trust relationship with every client. |
| 105 |
> |
| 106 |
> > For secure connections you will have to set up CA and TLS keys with |
| 107 |
> > any option. Even ftps - unless the ftp server is already configured |
| 108 |
> > with its TLS certificates. |
| 109 |
> |
| 110 |
> Or you use certificates from LetsEncrypt. Their CA is already trusted |
| 111 |
> on most machines my default. |
| 112 |
|
| 113 |
Thanks for mentioning this! I had forgotten about LetsEncrypt ... :-) |
| 114 |
|
| 115 |
-- |
| 116 |
Regards, |
| 117 |
Mick |
Archives