[lug] General VPN comparison

Kevin Fenzi kevin at scrye.com
Mon Feb 14 21:47:02 MST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "David" == David Anselmi <anselmi at anselmi.us> writes:

David> Daniel Webb wrote:
>> What is the best VPN for general use?  OpenVPN was mentioned in the
>> reverse tunnel thread, is it the best (free/open source) thing out
>> there for Linux?  Is it stable?  Are businesses using it for
>> mission-critical networks?

I'm a big fan of openvpn. In my experence it's quite stable and 
businesses are using it for mission-critical networks. 

David> Business and mission critical type stuff is IPSec/L2TP in my
David> experience. That's what Cisco uses, and MS.  I've had trouble
David> getting started with it on Debian but I've heard of people
David> using it successfully in heterogeneous environments.

IPSec is a pain to setup. It has some nasty limitations. 
It's very very hard to get setup right on linux at least. 

David> Eventually it will be easier to get set up. I'm also not sure
David> lately of the merits of OpenSWAN, FreeSWAN, KAME, isakmpd,
David> et. al. are.

I kept hoping it would get easier to setup, but it never has. 
The protocol itself is just a giant mess, making it hard to setup no
matter what. It didn't help that the *SWAN folks picked their own
weird terminology for the config (right and left), and did things like
enable PFS by default, which makes it not talk to almost any other
implementation. 

David> I've used OpenVPN as it was what was easy enough for me to do
David> (for both Windows and Linux clients), but I didn't like it.
David> There was a silly limitation on what netmasks/IPs you could use
David> that bit me, and it needed a different port for each user that

Odd. I know of no limitations on IP's you can use. You can't use the
same IP as your other interfaces, but thats not surprising. 

David> was going to connect (and the list of users was determined in
David> advance).  They may have improved those areas significantly
David> though.

Yeah, the 2.0 version allows you to have a single server on one port
that can handle an arbitrary number of clients connecting to the same
port/server. 

In addition, openvpn can: 

- - use udp or tcp, any port you like. 
- - use static keys or ssl certificates to authenticate clients. 
- - function using routing, or as a bridge. 
- - let the central server mode instance 'push' config to the clients. 
- - install on any linux/windows/osx box without kernel mods. 
- - allow traffic between clients, or not. 
- - setup all traffic to use the vpn. 
- - reconnect after specified amount of downtime
- - use LZO compression to adaptively compress the data stream. 

David> SSH/PPP work for many, though I don't think you can do that on
David> Windows. PPTP can mean compiling your own patched stuff, which
David> can be hard. But since it's obsolete in Win, why bother?

The CIPE author had a page about problems with ppp over ssh: 
http://sites.inka.de/sites/bigred/devel/tcp-tcp.html

PPTP is woefully insecure. 

CIPE is also not very secure. 

Just my 2cents. ;) 

kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQFCEX7J3imCezTjY0ERAqR9AJ9ckjK+vPXXr5WodeJNmY0aPWt8JQCdHJQ+
5ElXzboI10X55ttcj/GlxEg=
=hn+v
-----END PGP SIGNATURE-----

More information about the LUG mailing list