Mailing List Archive
tlug.jp Mailing List tlug archive tlug Mailing List Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] VPN?
- Date: Fri, 22 Jun 2018 17:21:55 +0200
- From: Attila Kinali <firstname.lastname@example.org>
- Subject: Re: [tlug] VPN?
- References: <1528618310.1210498.1402669344.48BE87D7@webmail.messagingengine.com> <1529335391.476732.1411880600.3E7206B1@webmail.messagingengine.com>
- Organization: Geist
On Mon, 18 Jun 2018 17:23:11 +0200 Jens John <email@example.com> wrote: > If cost is such a restrictive factor, and if you'd be fine with rolling your > own, you could deploy a IPSec VPN gateway on a cheap cloud instance, based on > either Linux (strongswan) or OpenBSD (preferred; much simpler to configure). > It's the "standard" enterprise VPN protocol and widely supported; e.g. the > iOS VPN client has built-in support for IPSec connectivity. Same goes for > macOS and Windows. On Linux, IPSec connectivity is easy to achieve too by > using NetworkManager with the strongswan client plugin or, if needed, by > configuring a strongswan client manually. Though the amount of documentation > on IPSec may be a bit overwhelming at first if you're not familiar with the > topic already. Quite honestly, I think that IPsec ist the worst protocol to be used for VPNs. It's so overly complex that just trying to understand how all the bits and pieces work together takes days at least. Not to mention that it took almost a decade until all vendors could (kind of) agree on a subset of the millions of features and ways to set it up, such that VPN solutions from different vendors could work together. And because IPsec grew out of the idea of authenticating and encrypting IP packets (ie not being tunnels but doing it on a connection by connection basis), it behaves quite weirdly in the normal network stack. As for configuration, it's still very difficult and brittle and, depending on the solution you are using, hard to debug. If you are going for DIY, then I strongly recommend using something simple like OpenVPN that behaves like a pipe/cable between the two endpoints and mimics a network interface that nicely integrates into the normal network stack. This makes it much easier to configure and, in case of problems, to debug. Not to mention, that you can use all the power of the network tools (including firewall settings) without the need to figure out why and when an IPsec packet enters/leaves the normal flow how packets are handled. TL;DR: Just because something is enterprisy does not mean it's a good solution. Actually, enterprise solutions are usally quite bad and mostly designed to make consultants rich. Attila Kinali -- It is upon moral qualities that a society is ultimately founded. All the prosperity and technological sophistication in the world is of no use without that foundation. -- Miss Matheson, The Diamond Age, Neil Stephenson
Home | Main Index | Thread Index
- Prev by Date: [tlug] White Box: Some Assembly Required ...
- Next by Date: Re: [tlug] White Box: Some Assembly Required ...
- Previous by thread: Re: [tlug] VPN?
- Next by thread: Re: [tlug] VPN?
Home Page Mailing List Linux and Japan TLUG Members Links