VPN recommendations?

Ben Scott dragonhawk at gmail.com
Fri Jun 29 21:36:07 EDT 2007 

On 6/29/07, Ted Roche <tedroche at tedroche.com> wrote:
>>   Define "access his office network".
>
> Exactly the response I needed, thanks.

  You never did answer my question.  What is this guy looking to *do*?

>>   That being said, I find OpenVPN does really, really well.  It's
>> really easy to install.
>
> Define "really easy."

  Click "Next" a lot.

  Config is a bit harder.  I did say "install".  ;-)  But I can post
some example configs if you like.

  Like I said, the X.509 stuff is hard, but I'm told there's stuff out
there now that makes it easy.  I haven't looked at that stuff because
I already took the trouble to DIY some automation.

> Hmmm... interesting acronyms.

  X.509 is the standard for public key cryptography which SSL uses.
Since OpenVPN uses SSL, it uses X.509 certificates.  X.509 is part of
the X.500/X.400 suite, which is quite possibly the worst set of
standards ever created by man.

  PKI = Public Key Infrastructure
  CA = Certificate Authority

  CA PKI just means "There's a central party which signs all
certificates.  By definition, PKI members trust the CA.  Thus, any
random node who connects who has a certificate signed by the CA is
trustworthy."

  This is how HTTPS works.  Web browsers come pre-loaded with the
certificates for various root CAs (VeriSign and friends).  Web server
operators get their certificates signed by a root CA.  When you
connect to a web server, the server sends its certificate.  Your
browser makes sure the web server's certificate is signed and matches
one of the root CA certificates it already has.  If so, the web server
is considered "secure".

  With OpenVPN, you can also use simple peer certificates, similar to
the way SSH public keys work.  Which wouldn't be so bad if the X.509
stuff wasn't so horrid.  But again, I'm told there is easier stuff out
there now.

>> One thing you'll want to know is that SMB is pretty bad over high
>> latency links, and certain parts of Windows Explorer and Microsoft
>> Office absolutely *SUCK* over high latency links.
>
> Right. SMB is pretty chatty and intended to be non-routable and
> contained on the LAN.

  SMB itself isn't so bad.  For example, from the CMD prompt, I can do
DIR listings and COPY files with good results.  Not as good as, say,
FTP, but good.  But if I start browsing with Explorer, or (heaven
forbid) open a file in Excel, everything goes to hell.  I guess
Explorer (and the Common Dialogs which use it) are doing something
pathologically bad for high-latency situations.

> One client with megabit-class DSL using their megabit-class DSL connection ...

  It's not the bandwidth ("megabits"), it's the latency ("round trip
time" or "RTT").  LANs have RTTs measured in single-digit
milliseconds.  Even a really good Internet feed typically has RTTs in
the tens of milliseconds, and hundreds are not uncommon.  That's what
kills it.

> Perhaps RDP tunneled over the VPN would be a good choice.

  I do RDP over SSH, and find it works pretty well.  PuTTY with a
pre-defined connection icon might work for that.  For file transfers,
FileZilla is a nice GUI client.

> The other issue is security of their Windows network.

  SSH port forwarding avoids that problem (one reason I like it).  For
OpenVPN, you can leave the Windows firewall on the VPN interface
enabled.

-- Ben

More information about the gnhlug-discuss mailing list