Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] VPN?



On Mon, 18 Jun 2018 17:23:11 +0200
Jens John <lists@example.com> wrote:

> If cost is such a restrictive factor, and if you'd be fine with rolling your 
> own, you could deploy a IPSec VPN gateway on a cheap cloud instance, based on 
> either Linux (strongswan) or OpenBSD (preferred; much simpler to configure). 
> It's the "standard" enterprise VPN protocol and widely supported; e.g. the 
> iOS VPN client has built-in support for IPSec connectivity. Same goes for 
> macOS and Windows. On Linux, IPSec connectivity is easy to achieve too by 
> using NetworkManager with the strongswan client plugin or, if needed, by 
> configuring a strongswan client manually. Though the amount of documentation 
> on IPSec may be a bit overwhelming at first if you're not familiar with the 
> topic already.

Quite honestly, I think that IPsec ist the worst protocol to be used
for VPNs. It's so overly complex that just trying to understand how
all the bits and pieces work together takes days at least. Not to mention
that it took almost a decade until all vendors could (kind of) agree on
a subset of the millions of features and ways to set it up, such that VPN
solutions from different vendors could work together. And because IPsec
grew out of the idea of authenticating and encrypting IP packets (ie not
being tunnels but doing it on a connection by connection basis),
it behaves quite weirdly in the normal network stack. As for configuration,
it's still very difficult and brittle and, depending on the solution you
are using, hard to debug.

If you are going for DIY, then I strongly recommend using something
simple like OpenVPN that behaves like a pipe/cable between the two
endpoints and mimics a network interface that nicely integrates into
the normal network stack. This makes it much easier to configure and,
in case of problems, to debug. Not to mention, that you can use all
the power of the network tools (including firewall settings) without
the need to figure out why and when an IPsec packet enters/leaves
the normal flow how packets are handled.

TL;DR: Just because something is enterprisy does not mean it's a good
solution. Actually, enterprise solutions are usally quite bad and mostly
designed to make consultants rich.

			Attila Kinali

-- 
It is upon moral qualities that a society is ultimately founded. All 
the prosperity and technological sophistication in the world is of no 
use without that foundation.
                 -- Miss Matheson, The Diamond Age, Neil Stephenson


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links