RE: ssh tunnels or openvpn/IPsec?
Hello Peter
>> Petter Adsen wrote:
>> > Now the question becomes; AFAIK, I could do this with ssh tunnels
>> > and forward the ports on my router/firewall, or I could use
>> > something like openvpn or IPsec (strongswan).
>>
>> Yes. Exactly.
>>
>> Also 'stunnel4' is useful too.
>
> Thanks, I didn't know about that one.
>
> [....]
>
> Thank you for your insight, that was very informative. From what I
> gather from this, it might be just as well to go straight to openvpn.
>
> Let me explain. Already I need rsyslog, munin, and collectd. That would
> require three separate ssh/ssl tunnels. However, if I set up openvpn on
> the router I will just need the one tunnel, and I can set up remote
> access to my home network at the same time, with the same bits and pieces.
[...]
> One thing I forgot to ask, though: how intensive is openvpn on resources,
> especially CPU and memory? I was initially thinking of setting it up on the
> router, but I am a little worried that it might be too much for it to handle.
> Would it be feasible/better to set it up on a more powerful machine on the
> inside and forward the traffic?
Lots of people set up open vpn on the router if the router is capable of it. In your case the amount of traffic is definitely something a regular router should be able to handle. The most cpu is used when openvpn (re)negotiates a session key which is does by default every hour.
If you find out you need more power simply create a rule on your router to forward udp 1194 to an inside machine and have openvpn running there.
It is very easy to setup, for ssl keys there is a separate set of scripts called easy-rsa that will let you create the keys with the proper settings in no-time.
If you want information more about openvpn use the openvpn users list (openvpn-users@lists.sourceforge.net)
There is a commercial version too which has commercial support but you want the community version which comes with Debian.
Bonno Bloksma
Reply to: