VPN solution(s) for Fedora Core

Jason Tackaberry tack at sault.org
Fri May 21 15:52:09 UTC 2004 

Hello Fedora hackers,

Since CIPE's removal from Fedora Core, there is a noticeable void that
still needs to be filled.  I'd like to raise the issue here and spark a
discussion in the hope that we can find consensus on one or more pieces
of VPN software to include in Fedora Core 3.

There seem to be two general approaches to VPNs, each with their own
advantages and disadvantages: kernel space, and user space.  I feel the
only kernel solutions worth considering are those which implement IPsec.
There exist several packages implementing VPN solutions in userspace,
such as vtun, tinc, and OpenVPN.

I have been using and reading about OpenVPN (http://openvpn.sf.net).  It
is intuitive, well designed [1], and has excellent documentation.  It is
released under the GPL, with a special exception clause to allow linking
with OpenSSL. OpenVPN is quality software, and we would be remiss not to
consider it for inclusion in FC3.

CIPE, vtun, and tinc, at least, have known and published flaws.  Last
year Peter Gutmann wrote a paper detailing a number of problems with
these packages [2].  While Gutmann did not review OpenVPN in depth, he
did have this to say about it:

        The key management step (that is, how to get from the SSL
        control channel to the data channel) is documented only in the
        source code, which I don't feel like reverse-engineering, but a
        quick look through it indicates that the author knows what he's
        doing.
        
I've done some googling and unfortunately I can't find a thorough,
independent audit of OpenVPN's design.  However, I've also not been able
to find much in way of vulnerabilities, so it appears to have a good
track record.  This, in combination with Gutmann's remarks in his paper,
as well as my own understanding of its design, gives me a reasonable
amount of confidence in OpenVPN.  (Vastly more than CIPE, at least,
which was included in RHL in the past.)

OpenVPN is released for most unices (including OS X), as well as Windows
2000/XP.  It relies on the kernel only for the tun/tap device.  I have
toyed with other VPN software (notable CIPE, vtun, and freeswan), and
OpenVPN was the only one that Just Worked, and worked intuitively.
                    
I think the other main contender for VPN software in Fedora Core would
be Openswan.  OpenVPN is portable, comfortable (being in userspace),
flexible, and easy, but Openswan implements IPsec which is (mostly)
standardized across vendors, and that's certainly a strong selling
point, in spite of its complexity.

I don't know much about Openswan, but I do feel that there is room for
both an IPsec and user space VPN solution in FC.

So, let the discussions begin!

Cheers,
Jason.


[1]  I am not a cryptographer, and so my opinion of OpenVPN's
     design is meaningless in practice.
[2]  http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 229 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20040521/4b0da59a/attachment.sig>

More information about the fedora-devel-list mailing list