On Tuesday 12 February 2008, Grant wrote: > > Even if you just want to encrypt some clear-text protocol that > > doesn't have an encrypted equivalent, a vpn is still overkill. For > > that you use ssh tunneling (which is essentially the same thing as > > an encrypted version of a protocol). 'ssh -X' is the classic > > example of easily tunneling a protocol that doesn't have a native > > encrypted equivalent. > > I see what you're saying. Can tunneling through ssh be made > automatic so that a cron job initiates a script that opens a tunnel > between the remote server and local print server and pages are > printed through the tunnel?
Sure. ssh is just a process after all and in principle encapsulated whatever gets put into it. All you need is a connection that isn't firewalled out and an sshd that is listening to what is coming in. ssh will even port forward for you and can be made to transform any tcp connection to appear to come from whatever port you want. What you put inside the tunnel is up to you. If the print server won't accept what is coming in, then google will find you any number of apps that will mangle the traffic. > > Your statement "it seems like running SSH inside a VPN is better > > for security than running SSH on a non-standard port" is > > non-sensical. From a security and encryption perspective, ssh and > > OpenVPN are exactly the same thing - stuff wrapped in an encryption > > layer provided by ssl, complete with exactly the same key setup > > should you choose to use that route. > > What about having ssh, imap, smtp, cups, and possibly a non-standard > https port all hidden within a VPN? Should that be considered a > benefit of running a VPN? I've filed the original post somewhere else and forgot the scenario :-) Is this a setup you need to be present often or even all the time? If so, you have 5 protocols in use, and setting up tunnels could become cumbersome. You might consider that it's more effort than it's worth and a VPN that is there and JustWorks(tm) is preferable. I would call that a sensible use of a VPN :-) I don't think there's a golden rule about when using a VPN is right or wrong. It's more like "do the advantages outweigh the hassle of setting it up and maintaining it?". Sometimes this answer is obvious, sometimes less so. Sometimes it's a judgement call. Side note: I'm starting to consider that even the most whacky, bizarre and stupid use of OpenVPN is preferable to the heartache and pain involved with trying to get IPSec working as designed.... -- Alan McKinnon alan dot mckinnon at gmail dot com -- [email protected] mailing list
