Re: [gentoo-user] OpenVPN setup
On Sunday 17 February 2008, Grant wrote: > > What wasn't mentioned is that SSL covers transport encryption, not > > necessarily application security. What that means is if you open IMAP, > > SMTP, CUPS, and SSH daemons over the internet then you also need to keep > > (better) track of security vulnerabilities found in those applications, > > and fix them as needed. SSL alone won't help you there. Whereas if > > you're only running, say OpenVPN over the Internet then that's the only > > application you gotta look out for. > > > > Also, doing things such as running IMAP over SSL using accounts with > > weak passwords doesn't gain you much either. > > Good points Albert. Is a daily 'emerge --sync && emerge -avDuN world' > generally enough as far as tracking security vulnerabilities? It will sure help. So will strong passwds, denyhosts, or fail2ban and equivalents, a well configured IDS, etc. and close monitoring of the log files. Let's be honest, a machine that runs services has the potential to get cracked one way or another. A well configured machine has a disproportionately small probability of getting cracked, than your average WinXP IT illiterate user around the world. So, it's really a matter of how paranoid you would like to get about it. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] OpenVPN setup
> > Good points Albert. Is a daily 'emerge --sync && emerge -avDuN world' > > generally enough as far as tracking security vulnerabilities? > > > > - Grant > > That's not really for me to say. But I can tell you that although the > Gentoo developers take matters of security seriously, there is no > full-time security tracker. Sometimes things don't get patched in > portage until someone (else) creates a bug report. And even if that > were not the case, there are 0-day exploits that have yet to be patched. > > So it really depends on how informed/paranoid you are about what you > have accepting requests from the Internet. While we're on the subject, what is the best way to stay on top of security vulnerabilities for a group of services? Should I be subscribed to their announcement mailing lists and make sure I'm notified of new mail? - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
> > Good points Albert. Is a daily 'emerge --sync && emerge -avDuN world' > > generally enough as far as tracking security vulnerabilities? > > > > - Grant > > That's not really for me to say. But I can tell you that although the > Gentoo developers take matters of security seriously, there is no > full-time security tracker. Sometimes things don't get patched in > portage until someone (else) creates a bug report. And even if that > were not the case, there are 0-day exploits that have yet to be patched. > > So it really depends on how informed/paranoid you are about what you > have accepting requests from the Internet. What do you think guys? Simplicity or security? - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Sun, 2008-02-17 at 12:03 -0800, Grant wrote: > Good points Albert. Is a daily 'emerge --sync && emerge -avDuN world' > generally enough as far as tracking security vulnerabilities? > > - Grant That's not really for me to say. But I can tell you that although the Gentoo developers take matters of security seriously, there is no full-time security tracker. Sometimes things don't get patched in portage until someone (else) creates a bug report. And even if that were not the case, there are 0-day exploits that have yet to be patched. So it really depends on how informed/paranoid you are about what you have accepting requests from the Internet. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
> > > I'd just like to reiterate that most of those don't need any extra > > > security. SSH and HTTPS are already secure, and IMAP and SMTP can be > > > accessed over SSL (like HTTPS). These are all secure enough to be > > > widely used without extra layers of encryption. > > > > I'm surprised, but glad to hear this. I was under the impression that > > opening services like SSH and CUPS to the internet was a bad idea. I > > guess they're secure enough. That removes #2 and #3 from my 4-part > > list above. > > > > If I can print with CUPS via SSL and submit SMTP mail via alternate > > port 587, I won't need a VPN or tunnel. > > > > Thanks a lot for everyone's help. I'm going to start a new thread for > > those topics. > > What wasn't mentioned is that SSL covers transport encryption, not > necessarily application security. What that means is if you open IMAP, > SMTP, CUPS, and SSH daemons over the internet then you also need to keep > (better) track of security vulnerabilities found in those applications, > and fix them as needed. SSL alone won't help you there. Whereas if > you're only running, say OpenVPN over the Internet then that's the only > application you gotta look out for. > > Also, doing things such as running IMAP over SSL using accounts with > weak passwords doesn't gain you much either. Good points Albert. Is a daily 'emerge --sync && emerge -avDuN world' generally enough as far as tracking security vulnerabilities? - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Sun, 2008-02-17 at 07:12 -0800, Grant wrote: > > I'd just like to reiterate that most of those don't need any extra > > security. SSH and HTTPS are already secure, and IMAP and SMTP can be > > accessed over SSL (like HTTPS). These are all secure enough to be > > widely used without extra layers of encryption. > > I'm surprised, but glad to hear this. I was under the impression that > opening services like SSH and CUPS to the internet was a bad idea. I > guess they're secure enough. That removes #2 and #3 from my 4-part > list above. > > If I can print with CUPS via SSL and submit SMTP mail via alternate > port 587, I won't need a VPN or tunnel. > > Thanks a lot for everyone's help. I'm going to start a new thread for > those topics. What wasn't mentioned is that SSL covers transport encryption, not necessarily application security. What that means is if you open IMAP, SMTP, CUPS, and SSH daemons over the internet then you also need to keep (better) track of security vulnerabilities found in those applications, and fix them as needed. SSL alone won't help you there. Whereas if you're only running, say OpenVPN over the Internet then that's the only application you gotta look out for. Also, doing things such as running IMAP over SSL using accounts with weak passwords doesn't gain you much either. Just my 2 cents. -a -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
> > Thanks a lot for everyone's help. Here is a more to-the-point list of > > what I'd like to accomplish: > > > > 1. encrypt CUPS printouts between remote server and local print server > > 2. add an additional layer of security around SSH and CUPS on local > > firewall/print server > > 3. add an additional layer of security around SSH, IMAP, and > > non-standard port HTTPS on remote server > > 4. enable access to SMTP on remote server for me which is blocked by > > my local ISP > > > > It sounds like I have 3 choices: > > > > 1. VPN > > 2. SSH tunneling > > 3. Zebedee tunneling > > > > Would all 3 of these choices accomplish all 4 requirements? I would > > think SSH tunneling can't really add an additional layer around SSH. > > I'd just like to reiterate that most of those don't need any extra > security. SSH and HTTPS are already secure, and IMAP and SMTP can be > accessed over SSL (like HTTPS). These are all secure enough to be > widely used without extra layers of encryption. I'm surprised, but glad to hear this. I was under the impression that opening services like SSH and CUPS to the internet was a bad idea. I guess they're secure enough. That removes #2 and #3 from my 4-part list above. If I can print with CUPS via SSL and submit SMTP mail via alternate port 587, I won't need a VPN or tunnel. Thanks a lot for everyone's help. I'm going to start a new thread for those topics. - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Wed, 13 Feb 2008 08:19:48 -0800 Grant <[EMAIL PROTECTED]> wrote: > > > > Even if you just want to encrypt some clear-text protocol that > > > > doesn't have an encrypted equivalent, a vpn is still overkill. > > > > For that you use ssh tunneling (which is essentially the same > > > > thing as an encrypted version of a protocol). 'ssh -X' is the > > > > classic example of easily tunneling a protocol that doesn't > > > > have a native encrypted equivalent. > > > > > > I see what you're saying. Can tunneling through ssh be made > > > automatic so that a cron job initiates a script that opens a > > > tunnel between the remote server and local print server and pages > > > are printed through the tunnel? > > > > Sure. ssh is just a process after all and in principle encapsulated > > whatever gets put into it. All you need is a connection that isn't > > firewalled out and an sshd that is listening to what is coming in. > > > > ssh will even port forward for you and can be made to transform any > > tcp connection to appear to come from whatever port you want. What > > you put inside the tunnel is up to you. If the print server won't > > accept what is coming in, then google will find you any number of > > apps that will mangle the traffic. > > > > > > Your statement "it seems like running SSH inside a VPN is better > > > > for security than running SSH on a non-standard port" is > > > > non-sensical. From a security and encryption perspective, ssh > > > > and OpenVPN are exactly the same thing - stuff wrapped in an > > > > encryption layer provided by ssl, complete with exactly the > > > > same key setup should you choose to use that route. > > > > > > What about having ssh, imap, smtp, cups, and possibly a > > > non-standard https port all hidden within a VPN? Should that be > > > considered a benefit of running a VPN? > > > > I've filed the original post somewhere else and forgot the > > scenario :-) Is this a setup you need to be present often or even > > all the time? If so, you have 5 protocols in use, and setting up > > tunnels could become cumbersome. You might consider that it's more > > effort than it's worth and a VPN that is there and JustWorks(tm) is > > preferable. I would call that a sensible use of a VPN :-) > > > > I don't think there's a golden rule about when using a VPN is right > > or wrong. It's more like "do the advantages outweigh the hassle of > > setting it up and maintaining it?". Sometimes this answer is > > obvious, sometimes less so. Sometimes it's a judgement call. > > Thanks a lot for everyone's help. Here is a more to-the-point list of > what I'd like to accomplish: > > 1. encrypt CUPS printouts between remote server and local print server > 2. add an additional layer of security around SSH and CUPS on local > firewall/print server > 3. add an additional layer of security around SSH, IMAP, and > non-standard port HTTPS on remote server > 4. enable access to SMTP on remote server for me which is blocked by > my local ISP > > It sounds like I have 3 choices: > > 1. VPN > 2. SSH tunneling > 3. Zebedee tunneling > > Would all 3 of these choices accomplish all 4 requirements? I would > think SSH tunneling can't really add an additional layer around SSH. Encrypted packets, encrypted? Why not? > I'd like to have something I can leave up all the time so the services > are always protected and I don't have to go through an extra step to > use email or print from the remote server. Can all 3 of these be left > up all the time? Is there any reason not to leave this type of > functionality up all the time? I don't use tunnels, but leave VPN up all the time. > It sounds like VPN would be the most difficult to set up and maintain, > followed by SSH tunneling, followed by Zebedee tunneling. Maybe I'm > wrong though. With tunneling, would I need to set up 4 or 5 different > tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm > using Zebedee)? tunnels aren't configured, but would probably have to be created at boot. vpn is, I suppose, not super easy to configure. I will send you my config files though if you want. > To send me mail, mail servers need to connect to my remote server's > SMTP right? Would setting up a tunnel or VPN for my SMTP access > interfere with that? Not if you tunnel through to the right ports - or in the case of a VPN, no. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Wed, 2008-02-13 at 08:19 -0800, Grant wrote: > > Thanks a lot for everyone's help. Here is a more to-the-point list of > what I'd like to accomplish: > > 1. encrypt CUPS printouts between remote server and local print server > 2. add an additional layer of security around SSH and CUPS on local > firewall/print server > 3. add an additional layer of security around SSH, IMAP, and > non-standard port HTTPS on remote server > 4. enable access to SMTP on remote server for me which is blocked by > my local ISP > > It sounds like I have 3 choices: > > 1. VPN > 2. SSH tunneling > 3. Zebedee tunneling > Simplyfy - send cups and smtp send only by zebedee SSH and HTTPS are already highly regarded as "safe". Convert your email reading to to the secure imaps. Experience over the years has me sitting on the side of using as few layers as possible - anything you add is going to increase complexity (management time) and reduce reliability. I do run openvpn and zebedee (in the past) using iptables to restrict access, and the services themselves are killed/restarted at appropriate times via cron to minimise exposure. Zebedee handles it very well (except when in server mode on a doze box!!) - openvpn can be a bit .. ah ... fussy ... I find it will sometimes get in a loop of out of sync connection attempts requiring manually logging into both ends to fix, and complex routing is always fun. It is more designed to be always up and available rather than on/off. Zebedee however can handle most scenarios quite well, including a server behind a firewall where it can "call out" to the client. BillK -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
Hi Grant, On Thu, Feb 14, 2008 at 1:19 AM, Grant <[EMAIL PROTECTED]> wrote: > Thanks a lot for everyone's help. Here is a more to-the-point list of > what I'd like to accomplish: > > 1. encrypt CUPS printouts between remote server and local print server > 2. add an additional layer of security around SSH and CUPS on local > firewall/print server > 3. add an additional layer of security around SSH, IMAP, and > non-standard port HTTPS on remote server > 4. enable access to SMTP on remote server for me which is blocked by > my local ISP > > It sounds like I have 3 choices: > > 1. VPN > 2. SSH tunneling > 3. Zebedee tunneling > > Would all 3 of these choices accomplish all 4 requirements? I would > think SSH tunneling can't really add an additional layer around SSH. I'd just like to reiterate that most of those don't need any extra security. SSH and HTTPS are already secure, and IMAP and SMTP can be accessed over SSL (like HTTPS). These are all secure enough to be widely used without extra layers of encryption. Routing your printing over a tunnel is perfectly valid and, in my opinion, reason enough to set up OpenVPN and play with it :D > I'd like to have something I can leave up all the time so the services > are always protected and I don't have to go through an extra step to > use email or print from the remote server. Can all 3 of these be left > up all the time? Is there any reason not to leave this type of > functionality up all the time? I can't speak for all of those options, but OpenVPN should be able to stay up all the time. I currently have an established OpenVPN connection to my work, it's been up for some five days now. I also have experience with a Cisco VPN, for which I use vpnc[1]... that thing goes down all the time. [1] http://www.unix-ag.uni-kl.de/~massar/vpnc/ > It sounds like VPN would be the most difficult to set up and maintain, > followed by SSH tunneling, followed by Zebedee tunneling. Maybe I'm > wrong though. With tunneling, would I need to set up 4 or 5 different > tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm > using Zebedee)? You can establish only one tunnel. Think of it this way, creating a tunnel is analogous to adding a NIC to your system. It will be called tun0 or tap0 (depending on whether you're tunneling or bridging). Then your system has an IP on your physical NIC (eth0) and your tun/tap interface as well. Your machine is now part of two network segments, the physical one and the virtual one. You only need one VPN tunnel; configure all your apps to route their CUPS, IMAP, SMTP, HTTPS and SSH connections through that virtual network. > To send me mail, mail servers need to connect to my remote server's > SMTP right? Would setting up a tunnel or VPN for my SMTP access > interfere with that? I would imagine your SMTP port needs to be accessible from the outside world in order to receive mail... so as long as packets bound for that machine's IP on port 25 (is it?) will reach the machine, you'll be OK. Perhaps someone more knowledgeable on mail servers can clarify this. At any rate, why not just go ahead with OpenVPN, set it up and see how it works for you? You'll be in a much better position then to determine whether it's really what you want or need. Have fun! Mike -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
> > > Even if you just want to encrypt some clear-text protocol that > > > doesn't have an encrypted equivalent, a vpn is still overkill. For > > > that you use ssh tunneling (which is essentially the same thing as > > > an encrypted version of a protocol). 'ssh -X' is the classic > > > example of easily tunneling a protocol that doesn't have a native > > > encrypted equivalent. > > > > I see what you're saying. Can tunneling through ssh be made > > automatic so that a cron job initiates a script that opens a tunnel > > between the remote server and local print server and pages are > > printed through the tunnel? > > Sure. ssh is just a process after all and in principle encapsulated > whatever gets put into it. All you need is a connection that isn't > firewalled out and an sshd that is listening to what is coming in. > > ssh will even port forward for you and can be made to transform any tcp > connection to appear to come from whatever port you want. What you put > inside the tunnel is up to you. If the print server won't accept what > is coming in, then google will find you any number of apps that will > mangle the traffic. > > > > Your statement "it seems like running SSH inside a VPN is better > > > for security than running SSH on a non-standard port" is > > > non-sensical. From a security and encryption perspective, ssh and > > > OpenVPN are exactly the same thing - stuff wrapped in an encryption > > > layer provided by ssl, complete with exactly the same key setup > > > should you choose to use that route. > > > > What about having ssh, imap, smtp, cups, and possibly a non-standard > > https port all hidden within a VPN? Should that be considered a > > benefit of running a VPN? > > I've filed the original post somewhere else and forgot the scenario :-) > Is this a setup you need to be present often or even all the time? If > so, you have 5 protocols in use, and setting up tunnels could become > cumbersome. You might consider that it's more effort than it's worth > and a VPN that is there and JustWorks(tm) is preferable. I would call > that a sensible use of a VPN :-) > > I don't think there's a golden rule about when using a VPN is right or > wrong. It's more like "do the advantages outweigh the hassle of setting > it up and maintaining it?". Sometimes this answer is obvious, sometimes > less so. Sometimes it's a judgement call. Thanks a lot for everyone's help. Here is a more to-the-point list of what I'd like to accomplish: 1. encrypt CUPS printouts between remote server and local print server 2. add an additional layer of security around SSH and CUPS on local firewall/print server 3. add an additional layer of security around SSH, IMAP, and non-standard port HTTPS on remote server 4. enable access to SMTP on remote server for me which is blocked by my local ISP It sounds like I have 3 choices: 1. VPN 2. SSH tunneling 3. Zebedee tunneling Would all 3 of these choices accomplish all 4 requirements? I would think SSH tunneling can't really add an additional layer around SSH. I'd like to have something I can leave up all the time so the services are always protected and I don't have to go through an extra step to use email or print from the remote server. Can all 3 of these be left up all the time? Is there any reason not to leave this type of functionality up all the time? It sounds like VPN would be the most difficult to set up and maintain, followed by SSH tunneling, followed by Zebedee tunneling. Maybe I'm wrong though. With tunneling, would I need to set up 4 or 5 different tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm using Zebedee)? To send me mail, mail servers need to connect to my remote server's SMTP right? Would setting up a tunnel or VPN for my SMTP access interfere with that? - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
Grant wrote: I'm hoping to use the vpn in three few ways: 1. imap and smtp between my laptop and the mail server 2. ssh from my laptop to the remote server 3. cups printing from the remote server to the print server I don't think you need a VPN to SSH from your laptop to the remote server -- SSH is already encrypted. For sure, but it seems like running SSH inside a VPN is better for security than running SSH on a non-standard port or even port knocking. If I need to set up a VPN for printing, shouldn't I use it for other stuff too? Maybe not, I have yet to actually use a VPN so please correct me if I'm wrong. SSH + Public/Private Keys. I don't accept passwords on my box, you need to have a correct account name and a private key for that machine to even think about talking to you. The only authentication method is PubKeyAuth; everything else is NO. If your laptop is always behind your local firewall, then it should be sufficient to have an OpenVPN tunnel established between your local firewall/print server and your remote server. This should allow you to print. Configuring the routes on your laptop to go through your local firewall and VPN to the remote server should allow you to grab your mail. If you move around with your laptop then you'll need to establish the VPN tunnel to your remote server anytime you need to grab your mail from anywhere else but home (behind your local firewall). Ah, tunnels, OK. I need to think in terms of tunnels. I'll definitely be moving around and won't be behind my local firewall too much of the time. Can I set up the openvpn server on my remote system and keep a tunnel open between it and the firewall/print server for printing, and also initiate a tunnel between the laptop and the remote system whenever I need to mail or SSH? Does that sound like a good plan? - Grant The other thing you can do is run ssh and use tunneling to run printing over. Granted it's kind of a pita for more stuff, but it's a poor man's vpn. (and what I use to view my webservers at home) Eric -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tue, 2008-02-12 at 19:30 +0200, Alan McKinnon wrote: > On Tuesday 12 February 2008, Etaoin Shrdlu wrote: > > On Tuesday 12 February 2008, Alan McKinnon wrote: > > > Your statement "it seems like running SSH inside a VPN is better > > > for security than running SSH on a non-standard port" is > > > non-sensical. From a security and encryption perspective, ssh and > > > OpenVPN are exactly the same thing - stuff wrapped in an encryption > > > layer provided by ssl, complete with exactly the same key setup > > > should you choose to use that route. > > > > Perhaps confusingly, ssh itself can be used to create openVPN-like > > VPNs (actually, much simpler), using the -w option and a couple of > > tun (or tap) interfaces on the connected computers. > > hehehe, I'd forgetten about that one for a bit :-) > > I just thought of a nice way to describe the difference (seeing as > technically they are essentially equivalent): > > Use SSH if you need a quick ad-hoc connection or something temporary. > Use OpenVPN if you need something more permanent that is always prsent > and just works. > > -- > Alan McKinnon > alan dot mckinnon at gmail dot com > Another alternative not mentioned so far - zebedee. Its a port based tunnel - that is instead of creating a new network with all its fuss and bother, just create a local port (may be on another local machine) that "surfaces" on a distant machine/network. I used it for many years for email and protecting telnet servers before openvpn became of age and my needs expanded. Recommended. Again, ssh can do this as well, but zebedee is a lot more flexible/convenient. Create tunnels for ports 25, 143 and 631 and you have email and cups. e.g., I map port 2225 to port 25 and set my local mail client to send email to localhost:2225 and it magicly connects to my mail server at home. It can also be done at a user level - you dont need admin privileges so if you have user level access to a machine, you can run a tunnel on it unlike openvpn. It is also cross platform which is nice :) >From the mailing list, it seems there are quite a few enterprise users as its got a good reputation in its niche. BillK -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tue, 12 Feb 2008 19:42:44 +0200 Alan McKinnon <[EMAIL PROTECTED]> wrote: > > What about having ssh, imap, smtp, cups, and possibly a non-standard > > https port all hidden within a VPN? Should that be considered a > > benefit of running a VPN? One other thought about ssh+vpn, if you have VPN problems (for example, the server goes down or you can't route to the subnet (if, say, you were on a local subnet with the same address it gets hairy) you can still get in with SSH. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tuesday 12 February 2008, Grant wrote: > I need temporary, but automated. Can an ssh tunnel be set up in an > automated way? Sure. Can you write bash scripts? Can you read man pages? Just work out what command invocations do what you require and stick them in a script. Cron the script if that suits your needs -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tuesday 12 February 2008, Grant wrote: > > Use SSH if you need a quick ad-hoc connection or something > > temporary. Use OpenVPN if you need something more permanent that is > > always prsent and just works. > > I need temporary, but automated. Can an ssh tunnel be set up in an > automated way? Of course, especially if you set up public key authentication. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tuesday 12 February 2008, Alan McKinnon wrote: > > Perhaps confusingly, ssh itself can be used to create openVPN-like > > VPNs (actually, much simpler), using the -w option and a couple of > > tun (or tap) interfaces on the connected computers. > > hehehe, I'd forgetten about that one for a bit :-) > > I just thought of a nice way to describe the difference (seeing as > technically they are essentially equivalent): Well, almost. Ssh uses TCP, so a ssh-based VPN might encounter problems due to the notorious TCP-over-TCP issue (though I never had a problem, but I have a fast connection, so I might just be lucky), whereas OpenVPN uses UDP (by default at least) and thus must implement its own protocol for reliability and recovery. Both solutions introduce a certain amount of overhead, although I could not say which one is larger (perhaps OpenVPN?). (Well, actually every kind of VPN introduces some overhead, but that's another story.) From the point of view of the way virtual (tun/tap) interfaces are used, they are mostly the same, with OpenVPN designed to scale better when many connections are needed. Some considerations apply to both, for example that using bridged mode might rapidly produce a lot of traffic on the link if more than few machines are connected (especially if they are windows machines), so it should be avoided for large setups. > Use SSH if you need a quick ad-hoc connection or something temporary. > Use OpenVPN if you need something more permanent that is always prsent > and just works. 100% agree :-) -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tuesday 12 February 2008, Grant wrote: > > Even if you just want to encrypt some clear-text protocol that > > doesn't have an encrypted equivalent, a vpn is still overkill. For > > that you use ssh tunneling (which is essentially the same thing as > > an encrypted version of a protocol). 'ssh -X' is the classic > > example of easily tunneling a protocol that doesn't have a native > > encrypted equivalent. > > I see what you're saying. Can tunneling through ssh be made > automatic so that a cron job initiates a script that opens a tunnel > between the remote server and local print server and pages are > printed through the tunnel? Sure. ssh is just a process after all and in principle encapsulated whatever gets put into it. All you need is a connection that isn't firewalled out and an sshd that is listening to what is coming in. ssh will even port forward for you and can be made to transform any tcp connection to appear to come from whatever port you want. What you put inside the tunnel is up to you. If the print server won't accept what is coming in, then google will find you any number of apps that will mangle the traffic. > > Your statement "it seems like running SSH inside a VPN is better > > for security than running SSH on a non-standard port" is > > non-sensical. From a security and encryption perspective, ssh and > > OpenVPN are exactly the same thing - stuff wrapped in an encryption > > layer provided by ssl, complete with exactly the same key setup > > should you choose to use that route. > > What about having ssh, imap, smtp, cups, and possibly a non-standard > https port all hidden within a VPN? Should that be considered a > benefit of running a VPN? I've filed the original post somewhere else and forgot the scenario :-) Is this a setup you need to be present often or even all the time? If so, you have 5 protocols in use, and setting up tunnels could become cumbersome. You might consider that it's more effort than it's worth and a VPN that is there and JustWorks(tm) is preferable. I would call that a sensible use of a VPN :-) I don't think there's a golden rule about when using a VPN is right or wrong. It's more like "do the advantages outweigh the hassle of setting it up and maintaining it?". Sometimes this answer is obvious, sometimes less so. Sometimes it's a judgement call. Side note: I'm starting to consider that even the most whacky, bizarre and stupid use of OpenVPN is preferable to the heartache and pain involved with trying to get IPSec working as designed -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
> > > Your statement "it seems like running SSH inside a VPN is better > > > for security than running SSH on a non-standard port" is > > > non-sensical. From a security and encryption perspective, ssh and > > > OpenVPN are exactly the same thing - stuff wrapped in an encryption > > > layer provided by ssl, complete with exactly the same key setup > > > should you choose to use that route. > > > > Perhaps confusingly, ssh itself can be used to create openVPN-like > > VPNs (actually, much simpler), using the -w option and a couple of > > tun (or tap) interfaces on the connected computers. > > hehehe, I'd forgetten about that one for a bit :-) > > I just thought of a nice way to describe the difference (seeing as > technically they are essentially equivalent): > > Use SSH if you need a quick ad-hoc connection or something temporary. > Use OpenVPN if you need something more permanent that is always prsent > and just works. I need temporary, but automated. Can an ssh tunnel be set up in an automated way? - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tuesday 12 February 2008, Etaoin Shrdlu wrote: > On Tuesday 12 February 2008, Alan McKinnon wrote: > > Your statement "it seems like running SSH inside a VPN is better > > for security than running SSH on a non-standard port" is > > non-sensical. From a security and encryption perspective, ssh and > > OpenVPN are exactly the same thing - stuff wrapped in an encryption > > layer provided by ssl, complete with exactly the same key setup > > should you choose to use that route. > > Perhaps confusingly, ssh itself can be used to create openVPN-like > VPNs (actually, much simpler), using the -w option and a couple of > tun (or tap) interfaces on the connected computers. hehehe, I'd forgetten about that one for a bit :-) I just thought of a nice way to describe the difference (seeing as technically they are essentially equivalent): Use SSH if you need a quick ad-hoc connection or something temporary. Use OpenVPN if you need something more permanent that is always prsent and just works. -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
> > > I don't think you need a VPN to SSH from your laptop to the remote > > > server -- SSH is already encrypted. > > > > For sure, but it seems like running SSH inside a VPN is better for > > security than running SSH on a non-standard port or even port > > knocking. If I need to set up a VPN for printing, shouldn't I use it > > for other stuff too? Maybe not, I have yet to actually use a VPN so > > please correct me if I'm wrong. > > The name tells you everything you need to know. > > vpn is Virtual Private *Network*. If you would normally have a dedicated > line between this place and that place to form a network, but this is > too expensive so you use the internet instead, then you use a vpn. Why? > Because the internet is a public pathway and you don't want your stuff > out in the open. > > If you want a client machine somewhere to connect to a server machine > somewhere else, then this is normal internet connectivity and vpn is > the wrong thing. If you want the client machine to be part of the same > network the server is on so that lots of stuff works the way it does in > the office itself, then vpn is the correct thing. > > Even if you just want to encrypt some clear-text protocol that doesn't > have an encrypted equivalent, a vpn is still overkill. For that you use > ssh tunneling (which is essentially the same thing as an encrypted > version of a protocol). 'ssh -X' is the classic example of easily > tunneling a protocol that doesn't have a native encrypted equivalent. I see what you're saying. Can tunneling through ssh be made automatic so that a cron job initiates a script that opens a tunnel between the remote server and local print server and pages are printed through the tunnel? > Your statement "it seems like running SSH inside a VPN is better for > security than running SSH on a non-standard port" is non-sensical. From > a security and encryption perspective, ssh and OpenVPN are exactly the > same thing - stuff wrapped in an encryption layer provided by ssl, > complete with exactly the same key setup should you choose to use that > route. What about having ssh, imap, smtp, cups, and possibly a non-standard https port all hidden within a VPN? Should that be considered a benefit of running a VPN? - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tuesday 12 February 2008, Alan McKinnon wrote: > Your statement "it seems like running SSH inside a VPN is better for > security than running SSH on a non-standard port" is non-sensical. > From a security and encryption perspective, ssh and OpenVPN are > exactly the same thing - stuff wrapped in an encryption layer provided > by ssl, complete with exactly the same key setup should you choose to > use that route. Perhaps confusingly, ssh itself can be used to create openVPN-like VPNs (actually, much simpler), using the -w option and a couple of tun (or tap) interfaces on the connected computers. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tuesday 12 February 2008, Grant wrote: > > I don't think you need a VPN to SSH from your laptop to the remote > > server -- SSH is already encrypted. > > For sure, but it seems like running SSH inside a VPN is better for > security than running SSH on a non-standard port or even port > knocking. If I need to set up a VPN for printing, shouldn't I use it > for other stuff too? Maybe not, I have yet to actually use a VPN so > please correct me if I'm wrong. The name tells you everything you need to know. vpn is Virtual Private *Network*. If you would normally have a dedicated line between this place and that place to form a network, but this is too expensive so you use the internet instead, then you use a vpn. Why? Because the internet is a public pathway and you don't want your stuff out in the open. If you want a client machine somewhere to connect to a server machine somewhere else, then this is normal internet connectivity and vpn is the wrong thing. If you want the client machine to be part of the same network the server is on so that lots of stuff works the way it does in the office itself, then vpn is the correct thing. Even if you just want to encrypt some clear-text protocol that doesn't have an encrypted equivalent, a vpn is still overkill. For that you use ssh tunneling (which is essentially the same thing as an encrypted version of a protocol). 'ssh -X' is the classic example of easily tunneling a protocol that doesn't have a native encrypted equivalent. Your statement "it seems like running SSH inside a VPN is better for security than running SSH on a non-standard port" is non-sensical. From a security and encryption perspective, ssh and OpenVPN are exactly the same thing - stuff wrapped in an encryption layer provided by ssl, complete with exactly the same key setup should you choose to use that route. -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
I do this with my work printer - the printer is locked down to a local network - I can print from locked out offices/labs anywhere (and even from home, picking up the printouts when I arrive - convenient!) I also transfer sometimes large files (using scp) and run ssh sessions and imap/smtp mail all through the same tunnel(s) - I actually use two in series with a convenient host in between to get around some local routing issues. All can be transparent and just work. scp can sometimes be a pain with slow speeds but its dependent on network conditions external to the tunnel - i.e., some external conditions cause interactions that affect packet sizes/latency within the tunnel - doesnt happen often though. Routing is often an issue (particularly to networks a few hops away on the "inside") - ospf (quagga) was the solution, though RIP is probably easier/better for this The downside - gentoos openvpn and networking design is ok for simple setups, but has to be overidden when getting complex. Can be "fragile" when design changes are taking place - breaks when you least expect it like when they introduced the bind flag into the init.d script (gr) Note that you need sympathetic or pliable IT staff if its a workplace - helps to have them onside if you are going to bypass their security policies for your own benefit! BillK On Mon, 2008-02-11 at 19:44 -0600, Dan Farrell wrote: > On Mon, 11 Feb 2008 16:00:49 -0800 > Grant <[EMAIL PROTECTED]> wrote: > > > You can print from your laptop to your printer at home while > > > overseas, for example. > > Sounds very convenient ; ) -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Mon, 11 Feb 2008 16:00:49 -0800 Grant <[EMAIL PROTECTED]> wrote: > You can print from your laptop to your printer at home while > > overseas, for example. Sounds very convenient ; ) -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
> > > > I'm hoping to use the vpn in three few ways: > > > > > > > > 1. imap and smtp between my laptop and the mail server > > > > 2. ssh from my laptop to the remote server > > > > 3. cups printing from the remote server to the print server > > > > > > I don't think you need a VPN to SSH from your laptop to the remote > > > server -- SSH is already encrypted. > > > > For sure, but it seems like running SSH inside a VPN is better for > > security than running SSH on a non-standard port or even port > > knocking. If I need to set up a VPN for printing, shouldn't I use it > > for other stuff too? Maybe not, I have yet to actually use a VPN so > > please correct me if I'm wrong. > > There are other ways to make SSH more "secure". For example, you could But what's wrong with this one? :) Honestly though, why would any of those methods be preferred to openvpn? > only enable PubkeyAuthentication while disabling all other methods of > Authentication, then use a large (4096-bit?) key pair with a strong > passphrase[1] and use keychain[2] so you don't have to type in the > passphrase all the time. OK, I'm exaggerating a bit with those > passwords from GRC, but you get the idea. > > [1] https://www.grc.com/passwords.htm > [2] http://www.gentoo.org/proj/en/keychain/ > > Also keep in mind the added overhead with OpenVPN -- your encrypted > SSH traffic is again encrypted by the VPN. Is this significant? Would my SSH latency be increased, the system slowed down, or both? > > > If your laptop is always behind your local firewall, then it should be > > > sufficient to have an OpenVPN tunnel established between your local > > > firewall/print server and your remote server. This should allow you to > > > print. > > > > > > Configuring the routes on your laptop to go through your local > > > firewall and VPN to the remote server should allow you to grab your > > > mail. > > > > > > If you move around with your laptop then you'll need to establish the > > > VPN tunnel to your remote server anytime you need to grab your mail > > > from anywhere else but home (behind your local firewall). > > > > Ah, tunnels, OK. I need to think in terms of tunnels. I'll > > definitely be moving around and won't be behind my local firewall too > > much of the time. Can I set up the openvpn server on my remote system > > and keep a tunnel open between it and the firewall/print server for > > printing, and also initiate a tunnel between the laptop and the remote > > system whenever I need to mail or SSH? Does that sound like a good > > plan? > > Yep, that should work. With a 'permanent' tunnel established between > your remote server and your local firewall/print server, you'll always > have access to those too simply by connecting via VPN to your remote > server. You can print from your laptop to your printer at home while > overseas, for example. Nice, thanks Mike. - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
Hi Grant, On Tue, Feb 12, 2008 at 8:11 AM, Grant <[EMAIL PROTECTED]> wrote: > > > I'm hoping to use the vpn in three few ways: > > > > > > 1. imap and smtp between my laptop and the mail server > > > 2. ssh from my laptop to the remote server > > > 3. cups printing from the remote server to the print server > > > > I don't think you need a VPN to SSH from your laptop to the remote > > server -- SSH is already encrypted. > > For sure, but it seems like running SSH inside a VPN is better for > security than running SSH on a non-standard port or even port > knocking. If I need to set up a VPN for printing, shouldn't I use it > for other stuff too? Maybe not, I have yet to actually use a VPN so > please correct me if I'm wrong. There are other ways to make SSH more "secure". For example, you could only enable PubkeyAuthentication while disabling all other methods of Authentication, then use a large (4096-bit?) key pair with a strong passphrase[1] and use keychain[2] so you don't have to type in the passphrase all the time. OK, I'm exaggerating a bit with those passwords from GRC, but you get the idea. [1] https://www.grc.com/passwords.htm [2] http://www.gentoo.org/proj/en/keychain/ Also keep in mind the added overhead with OpenVPN -- your encrypted SSH traffic is again encrypted by the VPN. > > If your laptop is always behind your local firewall, then it should be > > sufficient to have an OpenVPN tunnel established between your local > > firewall/print server and your remote server. This should allow you to > > print. > > > > Configuring the routes on your laptop to go through your local > > firewall and VPN to the remote server should allow you to grab your > > mail. > > > > If you move around with your laptop then you'll need to establish the > > VPN tunnel to your remote server anytime you need to grab your mail > > from anywhere else but home (behind your local firewall). > > Ah, tunnels, OK. I need to think in terms of tunnels. I'll > definitely be moving around and won't be behind my local firewall too > much of the time. Can I set up the openvpn server on my remote system > and keep a tunnel open between it and the firewall/print server for > printing, and also initiate a tunnel between the laptop and the remote > system whenever I need to mail or SSH? Does that sound like a good > plan? Yep, that should work. With a 'permanent' tunnel established between your remote server and your local firewall/print server, you'll always have access to those too simply by connecting via VPN to your remote server. You can print from your laptop to your printer at home while overseas, for example. Mike -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
> > I'm hoping to use the vpn in three few ways: > > > > 1. imap and smtp between my laptop and the mail server > > 2. ssh from my laptop to the remote server > > 3. cups printing from the remote server to the print server > > I don't think you need a VPN to SSH from your laptop to the remote > server -- SSH is already encrypted. For sure, but it seems like running SSH inside a VPN is better for security than running SSH on a non-standard port or even port knocking. If I need to set up a VPN for printing, shouldn't I use it for other stuff too? Maybe not, I have yet to actually use a VPN so please correct me if I'm wrong. > If your laptop is always behind your local firewall, then it should be > sufficient to have an OpenVPN tunnel established between your local > firewall/print server and your remote server. This should allow you to > print. > > Configuring the routes on your laptop to go through your local > firewall and VPN to the remote server should allow you to grab your > mail. > > If you move around with your laptop then you'll need to establish the > VPN tunnel to your remote server anytime you need to grab your mail > from anywhere else but home (behind your local firewall). Ah, tunnels, OK. I need to think in terms of tunnels. I'll definitely be moving around and won't be behind my local firewall too much of the time. Can I set up the openvpn server on my remote system and keep a tunnel open between it and the firewall/print server for printing, and also initiate a tunnel between the laptop and the remote system whenever I need to mail or SSH? Does that sound like a good plan? - Grant > > IMHO you should always go with routed first, then bridged if you need > > it. > > > > Ask yourself this question: do you really need ethernet traffic to go > > through the vpn? There are cases where it could be useful, but I'm hard > > pressed to find a general case. > > > > With a routed vpn, you work with IP addresses, just like you do on the > > internet. > > As Alan said, try going with routed first. > > Also, think about whether you really need this. As mentioned above, > SSH doesn't need to be tunneled over a VPN. IMAP and SMTP can be > encrypted too. That leaves printing, for which you could use VPN. > > Have fun! > Mike -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
Hi Grant, On Tue, Feb 12, 2008 at 5:41 AM, Grant <[EMAIL PROTECTED]> wrote: > I'm hoping to use the vpn in three few ways: > > 1. imap and smtp between my laptop and the mail server > 2. ssh from my laptop to the remote server > 3. cups printing from the remote server to the print server I don't think you need a VPN to SSH from your laptop to the remote server -- SSH is already encrypted. If your laptop is always behind your local firewall, then it should be sufficient to have an OpenVPN tunnel established between your local firewall/print server and your remote server. This should allow you to print. Configuring the routes on your laptop to go through your local firewall and VPN to the remote server should allow you to grab your mail. If you move around with your laptop then you'll need to establish the VPN tunnel to your remote server anytime you need to grab your mail from anywhere else but home (behind your local firewall). On Tue, Feb 12, 2008 at 5:53 AM, Alan McKinnon <[EMAIL PROTECTED]> wrote: > IMHO you should always go with routed first, then bridged if you need > it. > > Ask yourself this question: do you really need ethernet traffic to go > through the vpn? There are cases where it could be useful, but I'm hard > pressed to find a general case. > > With a routed vpn, you work with IP addresses, just like you do on the > internet. As Alan said, try going with routed first. Also, think about whether you really need this. As mentioned above, SSH doesn't need to be tunneled over a VPN. IMAP and SMTP can be encrypted too. That leaves printing, for which you could use VPN. Have fun! Mike -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Monday 11 February 2008, Grant wrote: > The second guide deals with bridging and the first does not. Should > I be setting up bridging? The first guide seems simpler. Should I > be OK with that one? I'd hate to dig into one of them and then find > out I should have chosen the other. > > - Grant IMHO you should always go with routed first, then bridged if you need it. Ask yourself this question: do you really need ethernet traffic to go through the vpn? There are cases where it could be useful, but I'm hard pressed to find a general case. With a routed vpn, you work with IP addresses, just like you do on the internet. -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
[gentoo-user] OpenVPN setup
I'm hoping to install openvpn on my remote hosted server. I have three machines to consider: 1. remote hosted web/mail server 2. local firewall, print server 3. local laptop I'm hoping to use the vpn in three few ways: 1. imap and smtp between my laptop and the mail server 2. ssh from my laptop to the remote server 3. cups printing from the remote server to the print server I've been over these guides: http://gentoo-wiki.com/HOWTO_OpenVPN_primer http://gentoo-wiki.com/HOWTO_Road_Warriors_with_OpenVPN It looks like there are plenty of opportunities for me to screw up so I'm hoping somebody might be able to help when I get stuck. The second guide deals with bridging and the first does not. Should I be setting up bridging? The first guide seems simpler. Should I be OK with that one? I'd hate to dig into one of them and then find out I should have chosen the other. - Grant -- gentoo-user@lists.gentoo.org mailing list