Hi Grant, On Thu, Feb 14, 2008 at 1:19 AM, Grant <[EMAIL PROTECTED]> wrote: > Thanks a lot for everyone's help. Here is a more to-the-point list of > what I'd like to accomplish: > > 1. encrypt CUPS printouts between remote server and local print server > 2. add an additional layer of security around SSH and CUPS on local > firewall/print server > 3. add an additional layer of security around SSH, IMAP, and > non-standard port HTTPS on remote server > 4. enable access to SMTP on remote server for me which is blocked by > my local ISP > > It sounds like I have 3 choices: > > 1. VPN > 2. SSH tunneling > 3. Zebedee tunneling > > Would all 3 of these choices accomplish all 4 requirements? I would > think SSH tunneling can't really add an additional layer around SSH.
I'd just like to reiterate that most of those don't need any extra security. SSH and HTTPS are already secure, and IMAP and SMTP can be accessed over SSL (like HTTPS). These are all secure enough to be widely used without extra layers of encryption. Routing your printing over a tunnel is perfectly valid and, in my opinion, reason enough to set up OpenVPN and play with it :D > I'd like to have something I can leave up all the time so the services > are always protected and I don't have to go through an extra step to > use email or print from the remote server. Can all 3 of these be left > up all the time? Is there any reason not to leave this type of > functionality up all the time? I can't speak for all of those options, but OpenVPN should be able to stay up all the time. I currently have an established OpenVPN connection to my work, it's been up for some five days now. I also have experience with a Cisco VPN, for which I use vpnc[1]... that thing goes down all the time. [1] http://www.unix-ag.uni-kl.de/~massar/vpnc/ > It sounds like VPN would be the most difficult to set up and maintain, > followed by SSH tunneling, followed by Zebedee tunneling. Maybe I'm > wrong though. With tunneling, would I need to set up 4 or 5 different > tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm > using Zebedee)? You can establish only one tunnel. Think of it this way, creating a tunnel is analogous to adding a NIC to your system. It will be called tun0 or tap0 (depending on whether you're tunneling or bridging). Then your system has an IP on your physical NIC (eth0) and your tun/tap interface as well. Your machine is now part of two network segments, the physical one and the virtual one. You only need one VPN tunnel; configure all your apps to route their CUPS, IMAP, SMTP, HTTPS and SSH connections through that virtual network. > To send me mail, mail servers need to connect to my remote server's > SMTP right? Would setting up a tunnel or VPN for my SMTP access > interfere with that? I would imagine your SMTP port needs to be accessible from the outside world in order to receive mail... so as long as packets bound for that machine's IP on port 25 (is it?) will reach the machine, you'll be OK. Perhaps someone more knowledgeable on mail servers can clarify this. At any rate, why not just go ahead with OpenVPN, set it up and see how it works for you? You'll be in a much better position then to determine whether it's really what you want or need. Have fun! Mike -- gentoo-user@lists.gentoo.org mailing list
