| 1 |
Hi Grant, |
| 2 |
|
| 3 |
On Thu, Feb 14, 2008 at 1:19 AM, Grant <emailgrant@×××××.com> wrote: |
| 4 |
> Thanks a lot for everyone's help. Here is a more to-the-point list of |
| 5 |
> what I'd like to accomplish: |
| 6 |
> |
| 7 |
> 1. encrypt CUPS printouts between remote server and local print server |
| 8 |
> 2. add an additional layer of security around SSH and CUPS on local |
| 9 |
> firewall/print server |
| 10 |
> 3. add an additional layer of security around SSH, IMAP, and |
| 11 |
> non-standard port HTTPS on remote server |
| 12 |
> 4. enable access to SMTP on remote server for me which is blocked by |
| 13 |
> my local ISP |
| 14 |
> |
| 15 |
> It sounds like I have 3 choices: |
| 16 |
> |
| 17 |
> 1. VPN |
| 18 |
> 2. SSH tunneling |
| 19 |
> 3. Zebedee tunneling |
| 20 |
> |
| 21 |
> Would all 3 of these choices accomplish all 4 requirements? I would |
| 22 |
> think SSH tunneling can't really add an additional layer around SSH. |
| 23 |
|
| 24 |
I'd just like to reiterate that most of those don't need any extra |
| 25 |
security. SSH and HTTPS are already secure, and IMAP and SMTP can be |
| 26 |
accessed over SSL (like HTTPS). These are all secure enough to be |
| 27 |
widely used without extra layers of encryption. |
| 28 |
|
| 29 |
Routing your printing over a tunnel is perfectly valid and, in my |
| 30 |
opinion, reason enough to set up OpenVPN and play with it :D |
| 31 |
|
| 32 |
> I'd like to have something I can leave up all the time so the services |
| 33 |
> are always protected and I don't have to go through an extra step to |
| 34 |
> use email or print from the remote server. Can all 3 of these be left |
| 35 |
> up all the time? Is there any reason not to leave this type of |
| 36 |
> functionality up all the time? |
| 37 |
|
| 38 |
I can't speak for all of those options, but OpenVPN should be able to |
| 39 |
stay up all the time. I currently have an established OpenVPN |
| 40 |
connection to my work, it's been up for some five days now. I also |
| 41 |
have experience with a Cisco VPN, for which I use vpnc[1]... that |
| 42 |
thing goes down all the time. |
| 43 |
|
| 44 |
[1] http://www.unix-ag.uni-kl.de/~massar/vpnc/ |
| 45 |
|
| 46 |
> It sounds like VPN would be the most difficult to set up and maintain, |
| 47 |
> followed by SSH tunneling, followed by Zebedee tunneling. Maybe I'm |
| 48 |
> wrong though. With tunneling, would I need to set up 4 or 5 different |
| 49 |
> tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm |
| 50 |
> using Zebedee)? |
| 51 |
|
| 52 |
You can establish only one tunnel. Think of it this way, creating a |
| 53 |
tunnel is analogous to adding a NIC to your system. It will be called |
| 54 |
tun0 or tap0 (depending on whether you're tunneling or bridging). Then |
| 55 |
your system has an IP on your physical NIC (eth0) and your tun/tap |
| 56 |
interface as well. Your machine is now part of two network segments, |
| 57 |
the physical one and the virtual one. |
| 58 |
|
| 59 |
You only need one VPN tunnel; configure all your apps to route their |
| 60 |
CUPS, IMAP, SMTP, HTTPS and SSH connections through that virtual |
| 61 |
network. |
| 62 |
|
| 63 |
> To send me mail, mail servers need to connect to my remote server's |
| 64 |
> SMTP right? Would setting up a tunnel or VPN for my SMTP access |
| 65 |
> interfere with that? |
| 66 |
|
| 67 |
I would imagine your SMTP port needs to be accessible from the outside |
| 68 |
world in order to receive mail... so as long as packets bound for that |
| 69 |
machine's IP on port 25 (is it?) will reach the machine, you'll be OK. |
| 70 |
Perhaps someone more knowledgeable on mail servers can clarify this. |
| 71 |
|
| 72 |
At any rate, why not just go ahead with OpenVPN, set it up and see how |
| 73 |
it works for you? You'll be in a much better position then to |
| 74 |
determine whether it's really what you want or need. |
| 75 |
|
| 76 |
Have fun! |
| 77 |
Mike |
| 78 |
-- |
| 79 |
gentoo-user@l.g.o mailing list |
Archives