Best VPN server to use on Fedora

Tue Oct 25 17:05:50 UTC 2005

On Tue, 2005-10-25 at 00:51 -0700, Kenneth Porter wrote:
> --On Monday, October 24, 2005 9:53 PM -0400 Leonard Isham 
> <leonard.isham at gmail.com> wrote:
> 
> > OpenVPN gets my vote.  www.openvpn.net

> Agreed. It runs over SSL instead of IPSec, almost completely in userspace, 

	No, it does not "run over" SSL.  It uses SSL/TLS for its key management
(the equivalent of Pluto/Racoon/IKE in IPSec land) but then uses
ESPinUDP encapsulation (very MUCH like IPSec NAT-T) for the actual
transport (as described in the OpenVPN documentation).  Just because it
also states elsewhere that it uses SSL or that it is based on SSL it
does not mean that it runs "over" SSL/TLS (which would require a tcp
transport anyways and OpenVPN is normally udp based with an option to
run over tcp).

	But you are correct, it does run almost completely in userspace.  Which
is why its performance is relatively poor compared to IPSec in high
traffic environments.  It also does not scale well in semi-mesh or
full-mesh VPN environments.  The newer 2.x server mode helps out with
server centric or "star" VPNs but the peer-to-peer mode gets really
unwieldy if you are putting together more than a small number of systems
(in peer-to-peer mode each system requires unique endpoint UDP ports and
you rapidly run into n^2 scaling problems for full mesh).

> which I find is easier to set up. The stock Fedora kernel includes the 
> required kernel tun/tap device, so you don't need a custom kernel, nor 
> special router support. If you can open a ssh or https connection to your 
> VPN server, then you can get to it with OpenVPN, assuming the port is open. 
> ISP's don't see it as "VPN". (Some forbid VPN connections.)

	You don't need a custom kernel nor special router support for IPSec
either (you're a couple of years out of date with that information).
IPSec is already in the 2.6 kernels and you've got two choices for the
IKE side of things on FC4, OpenSWAN and IPSec-tools.  OpenSWAN (pluto
for IKE) isn't much more difficult to set up than OpenVPN and can even
be easier in some environments.  IPSec-tools is the KAME based Racoon
(IKE) and setkey package for those with masochistic tendencies and
desires to monkey with all the little nuts and bolts of IPSec.  Either
can be installed from yum just as easily as openvpn.  Both support IPSec
NAT-T (IPSec ESPinUDP encapsulation over 4500/udp) and work over NAT
devices just fine.

	For larger VPNs with a lot of systems, certificate based OpenSWAN can
be a lot easier to set up than OpenVPN, particularly if you have to set
up OpenVPN in peer-to-peer mode where each connection requires
configuring unique UDP endpoint ports.  OpenVPN server mode can help
with it's address pool technique and their coming out with some newer
tricks for handing out and routing addresses in server mode that hasn't
quite make it to release yet.  But that doesn't help out much once you
get away from a star topology.  OpenVPN needs to impliment a
server-to-server mode before they can really address that.

	OTOH...  If what you are looking for is bridging or transporting of
non-ip protocols, then OpenVPN is definitely the choice to go with using
the tap device instead of the tun device.

	One interesting (to me at least) advantage of OpenVPN over IPSec is
that it can directly tunnel IPv6 over an IPv4 tunnel.  With IPSec, you
additionally have to build a SIT tunnel to encapsulate the IPv6 in IPv4
and THEN run that over the IPSec tunnel.  :-(  The Join project out of
Germany was using OpenVPN as an IPv6 tunnel broker service.  They even
turned off encryption, since all they wanted was the UDP encapsulation
of IPv6 running over IPv4 and they couldn't afford the performance hit
and scaling problems.  I'm using it in this way for my own personal
tunnelbroker service when I'm running roadwarrior and want IPv6 from
where ever I'm located and I don't want to dink with 6to4 (which sucks
over NAT).

	For the record...  I've got all of the above, IPSec (AH/ESP), IPSec
NAT-T, and OpenVPN VPN, in place at several locations (some side by side
on my tunnel anchors even) for IPv4 and IPv6.

	My recommendation would be based on the intended application and
environment.  If your application is performance sensitive or involves a
large number of connections or something more complicated that a simple
star, then I would go with IPSec.  If you have to also traverse NATs,
then IPSec NAT-T.  Not performance sensitive or scaling sensitive, then
OpenVPN is just fine and probably easier to set up for smaller VPNs.

	Also for the record (regarding the CIPE comment in the original
article)...  It wasn't RedHat or Fedora that abandoned CIPE.  The author
abandoned it and it's been an orphan for about 2 years now.  Last I
looked, he hadn't posted to his own mailing list (even to respond to
repeated requests) in over 18 months (this may have changed - last I
looked was a couple of months ago).  This is even after some security
problems have cropped up.  Anyone who IS using CIPE should probably STOP
using CIPE.

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com  
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20051025/181581bb/attachment-0001.sig>