1 |
Hi Grant, |
2 |
|
3 |
On Thu, Feb 14, 2008 at 1:19 AM, Grant <emailgrant@×××××.com> wrote: |
4 |
> Thanks a lot for everyone's help. Here is a more to-the-point list of |
5 |
> what I'd like to accomplish: |
6 |
> |
7 |
> 1. encrypt CUPS printouts between remote server and local print server |
8 |
> 2. add an additional layer of security around SSH and CUPS on local |
9 |
> firewall/print server |
10 |
> 3. add an additional layer of security around SSH, IMAP, and |
11 |
> non-standard port HTTPS on remote server |
12 |
> 4. enable access to SMTP on remote server for me which is blocked by |
13 |
> my local ISP |
14 |
> |
15 |
> It sounds like I have 3 choices: |
16 |
> |
17 |
> 1. VPN |
18 |
> 2. SSH tunneling |
19 |
> 3. Zebedee tunneling |
20 |
> |
21 |
> Would all 3 of these choices accomplish all 4 requirements? I would |
22 |
> think SSH tunneling can't really add an additional layer around SSH. |
23 |
|
24 |
I'd just like to reiterate that most of those don't need any extra |
25 |
security. SSH and HTTPS are already secure, and IMAP and SMTP can be |
26 |
accessed over SSL (like HTTPS). These are all secure enough to be |
27 |
widely used without extra layers of encryption. |
28 |
|
29 |
Routing your printing over a tunnel is perfectly valid and, in my |
30 |
opinion, reason enough to set up OpenVPN and play with it :D |
31 |
|
32 |
> I'd like to have something I can leave up all the time so the services |
33 |
> are always protected and I don't have to go through an extra step to |
34 |
> use email or print from the remote server. Can all 3 of these be left |
35 |
> up all the time? Is there any reason not to leave this type of |
36 |
> functionality up all the time? |
37 |
|
38 |
I can't speak for all of those options, but OpenVPN should be able to |
39 |
stay up all the time. I currently have an established OpenVPN |
40 |
connection to my work, it's been up for some five days now. I also |
41 |
have experience with a Cisco VPN, for which I use vpnc[1]... that |
42 |
thing goes down all the time. |
43 |
|
44 |
[1] http://www.unix-ag.uni-kl.de/~massar/vpnc/ |
45 |
|
46 |
> It sounds like VPN would be the most difficult to set up and maintain, |
47 |
> followed by SSH tunneling, followed by Zebedee tunneling. Maybe I'm |
48 |
> wrong though. With tunneling, would I need to set up 4 or 5 different |
49 |
> tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm |
50 |
> using Zebedee)? |
51 |
|
52 |
You can establish only one tunnel. Think of it this way, creating a |
53 |
tunnel is analogous to adding a NIC to your system. It will be called |
54 |
tun0 or tap0 (depending on whether you're tunneling or bridging). Then |
55 |
your system has an IP on your physical NIC (eth0) and your tun/tap |
56 |
interface as well. Your machine is now part of two network segments, |
57 |
the physical one and the virtual one. |
58 |
|
59 |
You only need one VPN tunnel; configure all your apps to route their |
60 |
CUPS, IMAP, SMTP, HTTPS and SSH connections through that virtual |
61 |
network. |
62 |
|
63 |
> To send me mail, mail servers need to connect to my remote server's |
64 |
> SMTP right? Would setting up a tunnel or VPN for my SMTP access |
65 |
> interfere with that? |
66 |
|
67 |
I would imagine your SMTP port needs to be accessible from the outside |
68 |
world in order to receive mail... so as long as packets bound for that |
69 |
machine's IP on port 25 (is it?) will reach the machine, you'll be OK. |
70 |
Perhaps someone more knowledgeable on mail servers can clarify this. |
71 |
|
72 |
At any rate, why not just go ahead with OpenVPN, set it up and see how |
73 |
it works for you? You'll be in a much better position then to |
74 |
determine whether it's really what you want or need. |
75 |
|
76 |
Have fun! |
77 |
Mike |
78 |
-- |
79 |
gentoo-user@l.g.o mailing list |