[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh tunnels or openvpn/IPsec?

Normally for ssh tunnels I use -D

which creates a local socks tunnel listener (i.e -D1080) and means you can do away with manual port forwards, you can then use a sockswrapper (tsocks/dsocks) pointing at localhost to transparently proxify most applications. Note that for UDP based things neither -L or -D works (you have to use ssh's VPN mode for that). Since remote syslog is UDP by default this means ssh isn't a great option (you can tunnel it via nc etc but... anoying to setup).



On 10 May 2015 at 16:15, Joel Wirāmu Pauling <joel@aenertia.net> wrote:
Also consider tincd

On 10 May 2015 at 04:51, Bonno Bloksma <b.bloksma@tio.nl> wrote:
Hello Peter


>> Petter Adsen wrote:
>> > Now the question becomes; AFAIK, I could do this with ssh tunnels
>> > and forward the ports on my router/firewall, or I could use
>> > something like openvpn or IPsec (strongswan).
>>
>> Yes.  Exactly.
>>
>> Also 'stunnel4' is useful too.
>
> Thanks, I didn't know about that one.
>
> [....]
>
> Thank you for your insight, that was very informative. From what I
> gather from this, it might be just as well to go straight to openvpn.
>
> Let me explain. Already I need rsyslog, munin, and collectd. That would
> require three separate ssh/ssl tunnels. However, if I set up openvpn on
> the router I will just need the one tunnel, and I can set up remote
> access to my home network at the same time, with the same bits and pieces.

[...]

> One thing I forgot to ask, though: how intensive is openvpn on resources,
> especially CPU and memory? I was initially thinking of setting it up on the
> router, but I am a little worried that it might be too much for it to handle.
> Would it be feasible/better to set it up on a more powerful machine on the
> inside and forward the traffic?

Lots of people set up open vpn on the router if the router is capable of it. In your case the amount of traffic is definitely something a regular router should be able to handle. The most cpu is used when openvpn (re)negotiates a session key which is does by default every hour.
If you find out you need more power simply create a rule on your router to forward udp 1194 to an inside machine and have openvpn running there.

It is very easy to setup, for ssl keys there is a separate set of scripts called easy-rsa that will let you create the keys with the proper settings in no-time.

If you want information more about openvpn use the openvpn users list (openvpn-users@lists.sourceforge.net)
There is a commercial version too which has commercial support but you want the community version which comes with Debian.

Bonno Bloksma


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 89D1798A7351D040B4E74E0A043C69D7D72E1B23@HGLEXCH-01.tio.nl" target="_blank">https://lists.debian.org/[🔎] 89D1798A7351D040B4E74E0A043C69D7D72E1B23@HGLEXCH-01.tio.nl



Reply to: