> > > Even if you just want to encrypt some clear-text protocol that > > > doesn't have an encrypted equivalent, a vpn is still overkill. For > > > that you use ssh tunneling (which is essentially the same thing as > > > an encrypted version of a protocol). 'ssh -X' is the classic > > > example of easily tunneling a protocol that doesn't have a native > > > encrypted equivalent. > > > > I see what you're saying. Can tunneling through ssh be made > > automatic so that a cron job initiates a script that opens a tunnel > > between the remote server and local print server and pages are > > printed through the tunnel? > > Sure. ssh is just a process after all and in principle encapsulated > whatever gets put into it. All you need is a connection that isn't > firewalled out and an sshd that is listening to what is coming in. > > ssh will even port forward for you and can be made to transform any tcp > connection to appear to come from whatever port you want. What you put > inside the tunnel is up to you. If the print server won't accept what > is coming in, then google will find you any number of apps that will > mangle the traffic. > > > > Your statement "it seems like running SSH inside a VPN is better > > > for security than running SSH on a non-standard port" is > > > non-sensical. From a security and encryption perspective, ssh and > > > OpenVPN are exactly the same thing - stuff wrapped in an encryption > > > layer provided by ssl, complete with exactly the same key setup > > > should you choose to use that route. > > > > What about having ssh, imap, smtp, cups, and possibly a non-standard > > https port all hidden within a VPN? Should that be considered a > > benefit of running a VPN? > > I've filed the original post somewhere else and forgot the scenario :-) > Is this a setup you need to be present often or even all the time? If > so, you have 5 protocols in use, and setting up tunnels could become > cumbersome. You might consider that it's more effort than it's worth > and a VPN that is there and JustWorks(tm) is preferable. I would call > that a sensible use of a VPN :-) > > I don't think there's a golden rule about when using a VPN is right or > wrong. It's more like "do the advantages outweigh the hassle of setting > it up and maintaining it?". Sometimes this answer is obvious, sometimes > less so. Sometimes it's a judgement call.
Thanks a lot for everyone's help. Here is a more to-the-point list of what I'd like to accomplish: 1. encrypt CUPS printouts between remote server and local print server 2. add an additional layer of security around SSH and CUPS on local firewall/print server 3. add an additional layer of security around SSH, IMAP, and non-standard port HTTPS on remote server 4. enable access to SMTP on remote server for me which is blocked by my local ISP It sounds like I have 3 choices: 1. VPN 2. SSH tunneling 3. Zebedee tunneling Would all 3 of these choices accomplish all 4 requirements? I would think SSH tunneling can't really add an additional layer around SSH. I'd like to have something I can leave up all the time so the services are always protected and I don't have to go through an extra step to use email or print from the remote server. Can all 3 of these be left up all the time? Is there any reason not to leave this type of functionality up all the time? It sounds like VPN would be the most difficult to set up and maintain, followed by SSH tunneling, followed by Zebedee tunneling. Maybe I'm wrong though. With tunneling, would I need to set up 4 or 5 different tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm using Zebedee)? To send me mail, mail servers need to connect to my remote server's SMTP right? Would setting up a tunnel or VPN for my SMTP access interfere with that? - Grant -- gentoo-user@lists.gentoo.org mailing list
