[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Live with VPN for remote access

On 13/10/11 18:38, Daniel Baumann wrote:
> On 10/13/2011 05:22 PM, Daniel Pocock wrote:
>> which type of VPN is most appropriate and easy to set up with Debian Live?
> regarding 'apropriate': i personally would probably go with ipsec if the
> image would be for me only, however, simple ssh tunnel looks like the
> better generic/compatible solution.

IPsec is good, but it entails virtual IP allocation, etc.  As the Debian
Live media is portable (and easily lost or stolen), the server needs to
heavily filter any IP traffic from the Live host.  This could be done
using a custom updown script with StrongSWAN (just using
leftfirewall=yes allows all IP traffic through the tunnel).

ssh is the opposite, it only does the port forwarding that is explicitly
requested - but ssh is not `always up' in the way IPsec is.  Something
needs to start it and make sure it stays running.  inittab and cron jobs
come to mind.

In both cases (IPsec or ssh), some kind of cert or key pair needs to be
installed in the ISO image.  Can you make any comment on how key
generation (and maybe even a CSR workflow) could or should be integrated
in the live-build workflow?  It occurred to me that

- it may be useful to have some convenient way of making a series of
discs where each one has a distinct key or cert, but otherwise identical

- and also, several apps on the disc may want to share in a single cert
(e.g. in addition to the VPN, some HTTP client code may want to use the
same cert for authenticating itself)

> regarding 'easy': wrt/ debian-live, it's all the same.

I agree - I've built 4 images already, every one of them worked
immediately and with minimal effort

Reply to: