Petter Adsen wrote: > Now the question becomes; AFAIK, I could do this with ssh tunnels and > forward the ports on my router/firewall, or I could use something like > openvpn or IPsec (strongswan). Yes. Exactly. Also 'stunnel4' is useful too. I would avoid IPsec. Last I looked there were more than 55 RFCs that had some impact on IPsec. It has traditionally been rather of a messy thing. > The problem is that I haven't really messed with any of these before > - what would be the best choice in this situation? > > Note that I'm not asking for a complete configuration, all I want is > some advice as to which of these technologies I should begin to read up > on. The IPsec article on the Debian wiki is from Sarge, so it is quite > outdated, but the openvpn article is recent and seems helpful. > > Any insights/advice/links, etc? Using ssh tunnels will get you 80% with 20% of the work. Using OpenVPN will get you 100% with 100% of the work. Using 'autossh' to manage ssh tunnels is very reliable to run and very quick and easy to set up. I use all of autossh/ssh tunnels, stunnel4, openvpn in different places. I tend to like and use the autossh/ssh tunnels because they are quick and easy and work well enough that I can move along to something else without spending a lifetime managing them. It doesn't require any routing table modifications. I like stunnel4 for some things because it also is very easy to set up and very reliable. Either ssh or stunnel would seem to be good simple effective choices for remote sysloging. I might lean toward stunnel for this. It all depends. Using stunnel benefits if you have signed https ssl certificates already that can be verified by stunnel. Both ssh and stunnel use TCP which means that in terms of ultimate performance and ultimate efficiency you are ending up with TCP over TCP and that isn't perfect. TCP over TCP will use some resources and time transporting packets somewhat inefficiently. I think for your example of using remote syslog logging I wouldn't worry about it. It is a non-interactive task and the machines won't care when talking to each other. No one will ever notice the inefficiency. When operating interactively such as working from my laptop to my remote servers I am usually interactive. That is when transport artifacts of latency become noticeable and annoying. There I have put in the extra work to set up openvpn for the 100% solution. It uses UDP for the transport avoiding the TCP over TCP issues. It is more work to set up initially due to dealing with setting up ssl certificates and routing. But having set it up it is a high performance solution that does 100% of the job. I would probably start your remote syslog task using autossh/ssh and then worry about doing something more when the need for more arises and not before. Bob
Attachment:
signature.asc
Description: Digital signature