[Freeipa-users] Give laptops bidirectional anywhere access to freeipa and /home/

Rob Townley rob.townley at gmail.com
Thu May 13 09:32:45 UTC 2010 

On Wed, May 12, 2010 at 2:04 PM, Simo Sorce <ssorce at redhat.com> wrote:
> On Wed, 12 May 2010 12:24:00 -0500
> Rob Townley <rob.townley at gmail.com> wrote:
>
>> The main difference between tinc vpns and traditional vpns is that
>> tinc is bidirectional and does not require the user to enter a
>> username password.  So if the computer is turned on, the remote
>> machine is reachable by the IT department.  If it is a windows
>> machine, you may want to verify antivirus signatures are up-to-date.
>> FusionInventory could be used to push software.
>>
>> Yes, it is a machine level as opposed to user level vpn.  tinc would
>> have to run all machines to make it the easiest to use.  With freeipa,
>> that could be easy.
>>
>> The keys currently are RSA public / private keypairs.
>>
>> Does not have existing code to work with ldap / kerberos as far as i
>> know.
>
> Looks interesting, do you know what's the difference between tinc and
> something like openvpn ? Is it just the fact that tinc allows inbound
> connections, or is there more ?

Tinc is a peer-to-peer vpn in the class of the Hamachi,  wippien - a
jabberd,  n2n from the ntop creators and others.  p2p vpns can have a
central server to register dynamic dns and nat port entries, and store
public keys but traffic would not necessarily pass through a central
server.

-p2p vpns connect to multiple "servers" simultaneously in more of grid
topology.  Nodes can connect to multiple branch / home offices
simultaneously and directly.   Whereas OpenVPN is a star topology.
All traffic must go through a single central vpn server.  Yes, there
can be more than one OpenVPN server, but the client can connect to
only one at a time.

-tinc is activated on boot up whether or not someone is logged in at
the console.  The default for vpnc / OpenVPN is for a user to enter a
username / password.   There are ways to automate the openvpn client
logon (saved password?), but probably disconnected when no one has
authenticated at the console.  With tinc, IT gets remote access to the
machine at any time.  With OpenVPN, you may need to call the user at
3am to reconnect after windows automatic updates initiates a machine
restart.

-p2p vpns can be much closer to zero configuration which is important
when there is not a full time IT staff.  i see myself using tinc /
freeipa / fusioninventory to administer remotely located family
machines.


i looked at OpenVPN.net again for the first time in a long time.  It
is so much more than it used to be, but i believe it still falls
short.  i am no expert on vpns.  i know OpenVPN is a great product to
many people and it may even be more secure in and of itself as a vpn
product.  But holistically, the biggest vulnerability to the entire
infrastructure are the discontinously connected laptops.  Patches are
not applied because IT does not have access.  tinc provides always on
access, so remote machines can be updated.  Of course, i am thinking
of windows patch management insanity, not yum-updatesd bliss.
-

>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>

More information about the Freeipa-users mailing list