On Tuesday 12 February 2008, Grant wrote: > > I don't think you need a VPN to SSH from your laptop to the remote > > server -- SSH is already encrypted. > > For sure, but it seems like running SSH inside a VPN is better for > security than running SSH on a non-standard port or even port > knocking. If I need to set up a VPN for printing, shouldn't I use it > for other stuff too? Maybe not, I have yet to actually use a VPN so > please correct me if I'm wrong.
The name tells you everything you need to know. vpn is Virtual Private *Network*. If you would normally have a dedicated line between this place and that place to form a network, but this is too expensive so you use the internet instead, then you use a vpn. Why? Because the internet is a public pathway and you don't want your stuff out in the open. If you want a client machine somewhere to connect to a server machine somewhere else, then this is normal internet connectivity and vpn is the wrong thing. If you want the client machine to be part of the same network the server is on so that lots of stuff works the way it does in the office itself, then vpn is the correct thing. Even if you just want to encrypt some clear-text protocol that doesn't have an encrypted equivalent, a vpn is still overkill. For that you use ssh tunneling (which is essentially the same thing as an encrypted version of a protocol). 'ssh -X' is the classic example of easily tunneling a protocol that doesn't have a native encrypted equivalent. Your statement "it seems like running SSH inside a VPN is better for security than running SSH on a non-standard port" is non-sensical. From a security and encryption perspective, ssh and OpenVPN are exactly the same thing - stuff wrapped in an encryption layer provided by ssl, complete with exactly the same key setup should you choose to use that route. -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
