1 |
On Sunday 14 May 2017 11:35:29 Kai Krakow wrote: |
2 |
> Am Sun, 14 May 2017 09:52:41 +0100 |
3 |
> |
4 |
> schrieb Mick <michaelkintzios@×××××.com>: |
5 |
> > On Saturday 13 May 2017 23:58:17 R0b0t1 wrote: |
6 |
> > > I had some problems setting up OpenVPN that were solved by using |
7 |
> > > per-client public keys. That seems to be the best supported |
8 |
> > > configuration (as well as the most secure). Windows-side using |
9 |
> > > OpenVPN-GUI is very easy. |
10 |
> > > |
11 |
> > > OpenVPN tends to have poor bandwidth due to overhead, but that may |
12 |
> > > be in large part due to my connection. |
13 |
> > |
14 |
> > OpenVPN is not the most efficient VPN implementation for connections |
15 |
> > to a server because it is not multithreaded |
16 |
> |
17 |
> Probably true but it works well here for connections of up to 100 MBit. |
18 |
|
19 |
It can work well for well above that throughput, but the limitation is the |
20 |
tun/tap mechanism and the CPU of the device/PC it is running on. |
21 |
|
22 |
|
23 |
> > and also because unlike |
24 |
> > IKE/IPSec it operates in userspace, not in kernelspace. |
25 |
> |
26 |
> IPsec also doesn't work without help from userspace processes. |
27 |
|
28 |
Sure, but this is only for managing the (re)keying process, which BTW takes |
29 |
longer with IKE than with OpenVPN (we're talking about milliseconds here). |
30 |
Once the keys have been agreed and set up between peers the rest happens |
31 |
exceedingly fast in kernelspace, managed as a network layer interface (L3). I |
32 |
recall seeing IPSec tunnels running 10 times faster than OpenVPN, being |
33 |
processed even faster than VLAN trunking, but this is very much dependent on |
34 |
the resources of the device running the tunnel. |
35 |
|
36 |
|
37 |
> But I |
38 |
> see what you mean: With OpenVPN, traffic bounces between kernel and |
39 |
> userspace multiple times before leaving the machine. But I don't really |
40 |
> see that as a problem for the scenario OpenVPN is used in: It best fits |
41 |
> with dial-up connections which are really not gigabit yet. For this, |
42 |
> performance overhead is almost zero. |
43 |
|
44 |
Yes, at dial-up throughput even a smart phone has enough resources to manage |
45 |
OpenVPN without it becoming a constraint. |
46 |
|
47 |
|
48 |
> IPsec can be a big pita if NAT is involved. For Windows client, L2TP |
49 |
> may be a good alternative. |
50 |
|
51 |
IKE/IPSec uses NAT-Traversal (NAT-T) by encapsulating ESP packets within UDP |
52 |
over port 4500. This will allow clients to initiate a connection with the |
53 |
server over port 500 and then switch to 4500 as part of NAT-T detection. |
54 |
Trivia: many routers/VPN concentrators use Vendor ID strings to determine if |
55 |
the remote peer can implement NAT-T among other attributes to shorten this |
56 |
NAT-T detection process. |
57 |
|
58 |
Of course the server will have to be accessible over port 500 for the clients |
59 |
to be able to get to it, but this is a port forwarding/DMZ network |
60 |
configuration exercise at the server end. |
61 |
|
62 |
|
63 |
> > > > The ftp server already doesn't allow unencrypted connections. |
64 |
> > > > |
65 |
> > > > Now try to explain to ppl for whom Filezilla is too complicated |
66 |
> > > > how to set up a VPN connection and how to secure their LAN once |
67 |
> > > > they create the connection (if we could ever get that to work). |
68 |
> > > > I haven't been able to figure that out myself, and that is one of |
69 |
> > > > the main reasons why I do not have a VPN connection but use ssh |
70 |
> > > > instead. The only disadvantage is that I can't do RDP sessions |
71 |
> > > > with that --- I probably could and just don't know how to --- |
72 |
> > > > but things might be a lot easier if wireguard works. |
73 |
> > |
74 |
> > If the users are helpless then you may be better configuring a VPN |
75 |
> > tunnel between their Internet gateway and the server, so they can |
76 |
> > access the server as if it were a local share, or using the built in |
77 |
> > ftp client that MSWindows comes with. SMB will work securely in this |
78 |
> > case too. |
79 |
> |
80 |
> This is what I would recommend, too. Put the VPN endpoints on the |
81 |
> network edges and no clients needs to worry: They just use the |
82 |
> connection. |
83 |
|
84 |
If there is a large number of client PCs this is the only sane solution. |
85 |
|
86 |
|
87 |
> > [...] |
88 |
> > |
89 |
> > > > I'm finding it a horrible nightmare, see above. It is the most |
90 |
> > > > difficult thing you could come up with. I haven't found any good |
91 |
> > > > documentation that explains it, the different types of it, how it |
92 |
> > > > works, what to use (apparently there are many different ways or |
93 |
> > > > something, some of which require a static IP on both ends, and |
94 |
> > > > they even give you different disadvantages in performance ...), |
95 |
> > > > how to protect the participants and all the complicated stuff |
96 |
> > > > involved. So far, I've managed to stay away from it, and I |
97 |
> > > > wouldn't know where to start. Of course, there is some |
98 |
> > > > documentation, but it is all confusing and no good. |
99 |
> > > |
100 |
> > > Feel free to start a thread on it. As above, I recommend |
101 |
> > > one-key-per-client and running your own CA. |
102 |
> |
103 |
> I wouldn't recommend running your own CA because you will have to |
104 |
> deploy a trust relationship with every client. |
105 |
> |
106 |
> > For secure connections you will have to set up CA and TLS keys with |
107 |
> > any option. Even ftps - unless the ftp server is already configured |
108 |
> > with its TLS certificates. |
109 |
> |
110 |
> Or you use certificates from LetsEncrypt. Their CA is already trusted |
111 |
> on most machines my default. |
112 |
|
113 |
Thanks for mentioning this! I had forgotten about LetsEncrypt ... :-) |
114 |
|
115 |
-- |
116 |
Regards, |
117 |
Mick |