On 05/08/13 19:52, dan farmer wrote: > > To start with - I really, really appreciate the work that's gone into the > program. > I've released stuff myself, and it's not an easy process, especially for > something > as complex and with so much functionality as openvpn. I get that. > > But from a user's perspective - anything that can make the horror known as > openvpn configuration easier would improve openvpn's adoption considerably. > > Here's a true tale. I'm writing a little thing to use openvpn. I'd like to > think I know > networks a bit - more on the theory at times than implementation, but > whatever. > > OpenVPN ranks up there with pgp and openssh for the most fucked up and > mysterious configurations I've ever seen (it is not a coincidence that they're > all crypto programs, I believe.) It is legendary among non-openvpn people to > be ridiculously difficult. I'm actually pretty sure that if one is an > openvpn person > who knows you're doing it's not that bad, or even makes some internal sense. > But I'd wager that high-ninety% of your user base doesn't fall into that > camp. > Well, of your potential user base, that is, most don't get that far. > > I am not saying this to say "everything is fuxx3d up" or something. I'm > telling > you because it took me a couple of days to get even the most basic thing > really > working on a not-terribly-complex setup. And while I understand the > conceptual > matters of your program, honestly, I fear to set it up, and have little faith > that even > if I get it running it'll do what I want it to. > > I'm not even complaining for myself - I'm a big guy, I can take care of > myself, > and take it or leave it - but for others…..
[...snip...] The documentation to OpenVPN might feel daunting, but it really isn't that bad if you just get started on the easy paths. And if you really want a hand-held guide through setting up OpenVPN ... go grab this book: <http://www.packtpub.com/openvpn-2-cookbook/book> I'm not aiming this message against you, Dan, so please don't take it as an personal attack of any kind. The biggest problem, from my experience, isn't that people don't understand the official docs. But they use external sources for setting up OpenVPN, like random blog or forum posts on sites not controlled by the OpenVPN community at all. And really, in 99% of all those posts, they contradict each other or basically recommend completely clueless setups which are just plain wrong. Why? Because these writers often don't understand NETWORKING at all. First of all, if you want to setup any kind of VPN, you NEED to understand basic networking. If your network experience is based on setting up a home router and you got it working, then you know NOTHING about networking. Go read about how TCP/IP functions and at minimum learn the BASIC ROUTING. Without that, you're going to get lost. Next, OpenVPN configurations are basically 2 parts. It's the security part, which involves setting up security parameters (ciphers, keys, etc) and which host to connect to. The other part is NETWORK ROUTING. No matter what kind of VPN setup you configure, you must understand routing. Then there is the more advanced parts, such as firewalling, MTU, fragmentation, and similar topics. Most people I've met on #openvpn, in this mailing lists and those times I've looked at our forum, they struggle with the latter. Almost everyone manages to set up and configure OpenVPN server and clients and make them connect without much help at all (when having issues, it's mostly related to PKI setups). They usually show up when their brand new OpenVPN setup doesn't pass traffic through their OpenVPN server or client. Which really makes me repeat what I've said in the two past paragraphs: To setup VPN you MUST UNDERSTAND BASIC NETWORK ROUTING. You say "briding"? I'll repeat: NETWORK ROUTING. Really! And many of those who begin to struggle, seek help in various wikis, blogs and whatever else they find. But the *minority* of these sources explains things correctly. I think I've seen just a handful of those thousands of blogs which really makes sense. Unfortunately, I've not indexed the good sources. At the end, I'll provide a few pointers which hopefully can help people solving their issues. * Learn about TCP/IP networking, read especially chapter 3.1 in this book: <http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf>. I'll repeat: You MUST know how network traffic travels between hosts and routers. * Then first configure a very simple OpenVPN setup, based on this HOWTO: <http://openvpn.net/index.php/open-source/documentation/miscellaneous/static-key-mini-howto.html> Go through this one, step by step. * Use the man page as a companion and read about what each option used above does: <https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage> * Extend the configuration above with a PKI setup (enhacned security): <http://openvpn.net/index.php/open-source/documentation/howto.html#pki> * Set up a reasonable routed network configuration with firewalling, based on this one: <https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting> By going through these steps, I believe most users should be able to set up a working VPN. But it's a lot to learn, if you haven't done this before. There are no shortcuts into setting up a VPN. You simply must learn these basic steps. The cookbook I mentioned in the beginning might make things easier to get started, but you still need to do some learning; at least when things doesn't work as expected. -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature