On Sat, 9 May 2015 18:49:27 -0600 Bob Proulx <b...@proulx.com> wrote:
> Petter Adsen wrote: > > Now the question becomes; AFAIK, I could do this with ssh tunnels > > and forward the ports on my router/firewall, or I could use > > something like openvpn or IPsec (strongswan). > > Yes. Exactly. > > Also 'stunnel4' is useful too. Thanks, I didn't know about that one. > I would avoid IPsec. Last I looked there were more than 55 RFCs that > had some impact on IPsec. It has traditionally been rather of a messy > thing. Urgh, that sounds painful. I think I will steer clear of that, then. That would also explain why there is so little info on it on both the Debian and the Arch wikis. > > The problem is that I haven't really messed with any of these before > > - what would be the best choice in this situation? > > > > Note that I'm not asking for a complete configuration, all I want is > > some advice as to which of these technologies I should begin to > > read up on. The IPsec article on the Debian wiki is from Sarge, so > > it is quite outdated, but the openvpn article is recent and seems > > helpful. > > > > Any insights/advice/links, etc? > > Using ssh tunnels will get you 80% with 20% of the work. Using > OpenVPN will get you 100% with 100% of the work. Using 'autossh' to > manage ssh tunnels is very reliable to run and very quick and easy to > set up. > > I use all of autossh/ssh tunnels, stunnel4, openvpn in different > places. I tend to like and use the autossh/ssh tunnels because they > are quick and easy and work well enough that I can move along to > something else without spending a lifetime managing them. It doesn't > require any routing table modifications. Not requiring explicit routing is a bonus, but not really a dealbreaker for me. Besides, I am sure the Debian wiki will give me enough hints to get it right. > I like stunnel4 for some things because it also is very easy to set up > and very reliable. Either ssh or stunnel would seem to be good simple > effective choices for remote sysloging. I might lean toward stunnel > for this. It all depends. Using stunnel benefits if you have signed > https ssl certificates already that can be verified by stunnel. I don't already have certificates, so I would need to generate some. As I already have a little experience with ssh and keys, it would probably be a wiser choice. > Both ssh and stunnel use TCP which means that in terms of ultimate > performance and ultimate efficiency you are ending up with TCP over > TCP and that isn't perfect. TCP over TCP will use some resources and > time transporting packets somewhat inefficiently. I think for your > example of using remote syslog logging I wouldn't worry about it. It > is a non-interactive task and the machines won't care when talking to > each other. No one will ever notice the inefficiency. > > When operating interactively such as working from my laptop to my > remote servers I am usually interactive. That is when transport > artifacts of latency become noticeable and annoying. There I have put > in the extra work to set up openvpn for the 100% solution. It uses > UDP for the transport avoiding the TCP over TCP issues. It is more > work to set up initially due to dealing with setting up ssl > certificates and routing. But having set it up it is a high > performance solution that does 100% of the job. > > I would probably start your remote syslog task using autossh/ssh and > then worry about doing something more when the need for more arises > and not before. Thank you for your insight, that was very informative. From what I gather from this, it might be just as well to go straight to openvpn. Let me explain. Already I need rsyslog, munin, and collectd. That would require three separate ssh/ssl tunnels. However, if I set up openvpn on the router I will just need the one tunnel, and I can set up remote access to my home network at the same time, with the same bits and pieces. Actually, I won't even need to set up anything special to reach my home network, as I would be able to reach it from the VPS - which already has ssh open. The need to reach my home network is already here, as I don't really have a good way of doing it currently. One thing I forgot to ask, though: how intensive is openvpn on resources, especially CPU and memory? I was initially thinking of setting it up on the router, but I am a little worried that it might be too much for it to handle. Would it be feasible/better to set it up on a more powerful machine on the inside and forward the traffic? And again - thanks, Bob. Petter -- "I'm ionized" "Are you sure?" "I'm positive."
pgpqAhmga5tlg.pgp
Description: OpenPGP digital signature