Hi David,
nice answer, David, and thanks for promoting the book ;)
Your basic points are correct , of course:
- networking is hard
- security is hard
Configuring openvpn can be daunting at first, but it is not nearly as
bad as configuring PPTP , or - GASP! - IPSec+L2TP.
Documentation can help , of course, but to do things right will always
require work.
Also, each setup is unique: there are some default setups, of course,
most/some of which are covered in my cookbook, but after answering a lot
of questions on the mailing list and forums I've found that each
networking setup is unique and openvpn needs to be adjusted for it. I've
always found the flexibility of openvpn its true power - but with great
power (flexibility) comes great responsibility (about documenting things).
Dan also has a point however: we should watch out for introducing new
features that nobody really understands how to use or why you would use
them - the docs should be kept up to par with the features. My cookbook,
for example, does not cover any of the features found in 2.3 like IPv6 -
I hope I can write an update in the near future.
I was and am hoping that an auto-negotiate feature would improve the
usability of openvpn - if you can negotiate and or push more settings
from the server to the clients then the client configs can be as simple
as possible , which should reduce complexity.
JM2CW,
JJK
David Sommerseth wrote:
On 05/08/13 19:52, dan farmer wrote:
To start with - I really, really appreciate the work that's gone into the
program.
I've released stuff myself, and it's not an easy process, especially for
something
as complex and with so much functionality as openvpn. I get that.
But from a user's perspective - anything that can make the horror known as
openvpn configuration easier would improve openvpn's adoption considerably.
Here's a true tale. I'm writing a little thing to use openvpn. I'd like to think I know
networks a bit - more on the theory at times than implementation, but whatever.
OpenVPN ranks up there with pgp and openssh for the most fucked up and
mysterious configurations I've ever seen (it is not a coincidence that they're
all crypto programs, I believe.) It is legendary among non-openvpn people to
be ridiculously difficult. I'm actually pretty sure that if one is an openvpn
person
who knows you're doing it's not that bad, or even makes some internal sense.
But I'd wager that high-ninety% of your user base doesn't fall into that camp.
Well, of your potential user base, that is, most don't get that far.
I am not saying this to say "everything is fuxx3d up" or something. I'm telling
you because it took me a couple of days to get even the most basic thing really
working on a not-terribly-complex setup. And while I understand the conceptual
matters of your program, honestly, I fear to set it up, and have little faith
that even
if I get it running it'll do what I want it to.
I'm not even complaining for myself - I'm a big guy, I can take care of myself,
and take it or leave it - but for others…..
[...snip...]
The documentation to OpenVPN might feel daunting, but it really isn't
that bad if you just get started on the easy paths. And if you really
want a hand-held guide through setting up OpenVPN ... go grab this book:
<http://www.packtpub.com/openvpn-2-cookbook/book>
I'm not aiming this message against you, Dan, so please don't take it as
an personal attack of any kind.
The biggest problem, from my experience, isn't that people don't
understand the official docs. But they use external sources for setting
up OpenVPN, like random blog or forum posts on sites not controlled by
the OpenVPN community at all. And really, in 99% of all those posts,
they contradict each other or basically recommend completely clueless
setups which are just plain wrong. Why? Because these writers often
don't understand NETWORKING at all.
First of all, if you want to setup any kind of VPN, you NEED to
understand basic networking. If your network experience is based on
setting up a home router and you got it working, then you know NOTHING
about networking. Go read about how TCP/IP functions and at minimum
learn the BASIC ROUTING. Without that, you're going to get lost.
Next, OpenVPN configurations are basically 2 parts. It's the security
part, which involves setting up security parameters (ciphers, keys, etc)
and which host to connect to. The other part is NETWORK ROUTING. No
matter what kind of VPN setup you configure, you must understand
routing. Then there is the more advanced parts, such as firewalling,
MTU, fragmentation, and similar topics.
Most people I've met on #openvpn, in this mailing lists and those times
I've looked at our forum, they struggle with the latter. Almost
everyone manages to set up and configure OpenVPN server and clients and
make them connect without much help at all (when having issues, it's
mostly related to PKI setups). They usually show up when their brand
new OpenVPN setup doesn't pass traffic through their OpenVPN server or
client. Which really makes me repeat what I've said in the two past
paragraphs: To setup VPN you MUST UNDERSTAND BASIC NETWORK ROUTING. You
say "briding"? I'll repeat: NETWORK ROUTING. Really!
And many of those who begin to struggle, seek help in various wikis,
blogs and whatever else they find. But the *minority* of these sources
explains things correctly. I think I've seen just a handful of those
thousands of blogs which really makes sense. Unfortunately, I've not
indexed the good sources.
At the end, I'll provide a few pointers which hopefully can help people
solving their issues.
* Learn about TCP/IP networking, read especially chapter 3.1 in this
book: <http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf>. I'll
repeat: You MUST know how network traffic travels between hosts and routers.
* Then first configure a very simple OpenVPN setup, based on this HOWTO:
<http://openvpn.net/index.php/open-source/documentation/miscellaneous/static-key-mini-howto.html>
Go through this one, step by step.
* Use the man page as a companion and read about what each option used
above does:
<https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage>
* Extend the configuration above with a PKI setup (enhacned security):
<http://openvpn.net/index.php/open-source/documentation/howto.html#pki>
* Set up a reasonable routed network configuration with firewalling,
based on this one:
<https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting>
By going through these steps, I believe most users should be able to set
up a working VPN.
But it's a lot to learn, if you haven't done this before. There are no
shortcuts into setting up a VPN. You simply must learn these basic
steps. The cookbook I mentioned in the beginning might make things
easier to get started, but you still need to do some learning; at least
when things doesn't work as expected.
