Re: [gentoo-user] OpenVPN setup - gentoo-user - Gentoo Mailing List Archives

From:	Dan Farrell <dan@×××××××××.cx>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] OpenVPN setup
Date:	Fri, 15 Feb 2008 04:19:30
Message-Id:	`20080214221926.4eb43a14@pascal.spore.ath.cx`
In Reply to:	Re: [gentoo-user] OpenVPN setup by Grant

1

On Wed, 13 Feb 2008 08:19:48 -0800

2

Grant <emailgrant@×××××.com> wrote:

3

4

> > > > Even if you just want to encrypt some clear-text protocol that

5

> > > > doesn't have an encrypted equivalent, a vpn is still overkill.

6

> > > > For that you use ssh tunneling (which is essentially the same

7

> > > > thing as an encrypted version of a protocol). 'ssh -X' is the

8

> > > > classic example of easily tunneling a protocol that doesn't

9

> > > > have a native encrypted equivalent.

10

> > >

11

> > > I see what you're saying.  Can tunneling through ssh be made

12

> > > automatic so that a cron job initiates a script that opens a

13

> > > tunnel between the remote server and local print server and pages

14

> > > are printed through the tunnel?

15

> >

16

> > Sure. ssh is just a process after all and in principle encapsulated

17

> > whatever gets put into it. All you need is a connection that isn't

18

> > firewalled out and an sshd that is listening to what is coming in.

19

> >

20

> > ssh will even port forward for you and can be made to transform any

21

> > tcp connection to appear to come from whatever port you want. What

22

> > you put inside the tunnel is up to you. If the print server won't

23

> > accept what is coming in, then google will find you any number of

24

> > apps that will mangle the traffic.

25

> >

26

> > > > Your statement "it seems like running SSH inside a VPN is better

27

> > > > for security than running SSH on a non-standard port" is

28

> > > > non-sensical. From a security and encryption perspective, ssh

29

> > > > and OpenVPN are exactly the same thing - stuff wrapped in an

30

> > > > encryption layer provided by ssl, complete with exactly the

31

> > > > same key setup should you choose to use that route.

32

> > >

33

> > > What about having ssh, imap, smtp, cups, and possibly a

34

> > > non-standard https port all hidden within a VPN?  Should that be

35

> > > considered a benefit of running a VPN?

36

> >

37

> > I've filed the original post somewhere else and forgot the

38

> > scenario :-) Is this a setup you need to be present often or even

39

> > all the time? If so, you have 5 protocols in use, and setting up

40

> > tunnels could become cumbersome. You might consider that it's more

41

> > effort than it's worth and a VPN that is there and JustWorks(tm) is

42

> > preferable. I would call that a sensible use of a VPN :-)

43

> >

44

> > I don't think there's a golden rule about when using a VPN is right

45

> > or wrong. It's more like "do the advantages outweigh the hassle of

46

> > setting it up and maintaining it?". Sometimes this answer is

47

> > obvious, sometimes less so. Sometimes it's a judgement call.

48

>

49

> Thanks a lot for everyone's help.  Here is a more to-the-point list of

50

> what I'd like to accomplish:

51

>

52

> 1. encrypt CUPS printouts between remote server and local print server

53

> 2. add an additional layer of security around SSH and CUPS on local

54

> firewall/print server

55

> 3. add an additional layer of security around SSH, IMAP, and

56

> non-standard port HTTPS on remote server

57

> 4. enable access to SMTP on remote server for me which is blocked by

58

> my local ISP

59

>

60

> It sounds like I have 3 choices:

61

>

62

> 1. VPN

63

> 2. SSH tunneling

64

> 3. Zebedee tunneling

65

>

66

> Would all 3 of these choices accomplish all 4 requirements?  I would

67

> think SSH tunneling can't really add an additional layer around SSH.

68

69

Encrypted packets, encrypted?  Why not?  

70

71

> I'd like to have something I can leave up all the time so the services

72

> are always protected and I don't have to go through an extra step to

73

> use email or print from the remote server.  Can all 3 of these be left

74

> up all the time?  Is there any reason not to leave this type of

75

> functionality up all the time?

76

77

I don't use tunnels, but leave VPN up all the time. 

78

79

> It sounds like VPN would be the most difficult to set up and maintain,

80

> followed by SSH tunneling, followed by Zebedee tunneling.  Maybe I'm

81

> wrong though.  With tunneling, would I need to set up 4 or 5 different

82

> tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm

83

> using Zebedee)?

84

85

tunnels aren't configured, but would probably have to be created

86

at boot.  vpn is, I suppose, not super easy to configure.  I will send

87

you my config files though if you want.  

88

89

> To send me mail, mail servers need to connect to my remote server's

90

> SMTP right?  Would setting up a tunnel or VPN for my SMTP access

91

> interfere with that?

92

93

Not if you tunnel through to the right ports - or in the case of a VPN,

94

no.

95

96

--

97

gentoo-user@l.g.o mailing list

1	On Wed, 13 Feb 2008 08:19:48 -0800
2	Grant <emailgrant@×××××.com> wrote:
3
4	> > > > Even if you just want to encrypt some clear-text protocol that
5	> > > > doesn't have an encrypted equivalent, a vpn is still overkill.
6	> > > > For that you use ssh tunneling (which is essentially the same
7	> > > > thing as an encrypted version of a protocol). 'ssh -X' is the
8	> > > > classic example of easily tunneling a protocol that doesn't
9	> > > > have a native encrypted equivalent.
10	> > >
11	> > > I see what you're saying. Can tunneling through ssh be made
12	> > > automatic so that a cron job initiates a script that opens a
13	> > > tunnel between the remote server and local print server and pages
14	> > > are printed through the tunnel?
15	> >
16	> > Sure. ssh is just a process after all and in principle encapsulated
17	> > whatever gets put into it. All you need is a connection that isn't
18	> > firewalled out and an sshd that is listening to what is coming in.
19	> >
20	> > ssh will even port forward for you and can be made to transform any
21	> > tcp connection to appear to come from whatever port you want. What
22	> > you put inside the tunnel is up to you. If the print server won't
23	> > accept what is coming in, then google will find you any number of
24	> > apps that will mangle the traffic.
25	> >
26	> > > > Your statement "it seems like running SSH inside a VPN is better
27	> > > > for security than running SSH on a non-standard port" is
28	> > > > non-sensical. From a security and encryption perspective, ssh
29	> > > > and OpenVPN are exactly the same thing - stuff wrapped in an
30	> > > > encryption layer provided by ssl, complete with exactly the
31	> > > > same key setup should you choose to use that route.
32	> > >
33	> > > What about having ssh, imap, smtp, cups, and possibly a
34	> > > non-standard https port all hidden within a VPN? Should that be
35	> > > considered a benefit of running a VPN?
36	> >
37	> > I've filed the original post somewhere else and forgot the
38	> > scenario :-) Is this a setup you need to be present often or even
39	> > all the time? If so, you have 5 protocols in use, and setting up
40	> > tunnels could become cumbersome. You might consider that it's more
41	> > effort than it's worth and a VPN that is there and JustWorks(tm) is
42	> > preferable. I would call that a sensible use of a VPN :-)
43	> >
44	> > I don't think there's a golden rule about when using a VPN is right
45	> > or wrong. It's more like "do the advantages outweigh the hassle of
46	> > setting it up and maintaining it?". Sometimes this answer is
47	> > obvious, sometimes less so. Sometimes it's a judgement call.
48	>
49	> Thanks a lot for everyone's help. Here is a more to-the-point list of
50	> what I'd like to accomplish:
51	>
52	> 1. encrypt CUPS printouts between remote server and local print server
53	> 2. add an additional layer of security around SSH and CUPS on local
54	> firewall/print server
55	> 3. add an additional layer of security around SSH, IMAP, and
56	> non-standard port HTTPS on remote server
57	> 4. enable access to SMTP on remote server for me which is blocked by
58	> my local ISP
59	>
60	> It sounds like I have 3 choices:
61	>
62	> 1. VPN
63	> 2. SSH tunneling
64	> 3. Zebedee tunneling
65	>
66	> Would all 3 of these choices accomplish all 4 requirements? I would
67	> think SSH tunneling can't really add an additional layer around SSH.
68
69	Encrypted packets, encrypted? Why not?
70
71	> I'd like to have something I can leave up all the time so the services
72	> are always protected and I don't have to go through an extra step to
73	> use email or print from the remote server. Can all 3 of these be left
74	> up all the time? Is there any reason not to leave this type of
75	> functionality up all the time?
76
77	I don't use tunnels, but leave VPN up all the time.
78
79	> It sounds like VPN would be the most difficult to set up and maintain,
80	> followed by SSH tunneling, followed by Zebedee tunneling. Maybe I'm
81	> wrong though. With tunneling, would I need to set up 4 or 5 different
82	> tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm
83	> using Zebedee)?
84
85	tunnels aren't configured, but would probably have to be created
86	at boot. vpn is, I suppose, not super easy to configure. I will send
87	you my config files though if you want.
88
89	> To send me mail, mail servers need to connect to my remote server's
90	> SMTP right? Would setting up a tunnel or VPN for my SMTP access
91	> interfere with that?
92
93	Not if you tunnel through to the right ports - or in the case of a VPN,
94	no.
95
96	--
97	gentoo-user@l.g.o mailing list

Gentoo Archives: gentoo-user