On Sun, Dec 23, 2007 at 09:04:08AM -0800, johan beisser wrote: > My complaint with the "-w" option is not a lack of it working (works > great), but lack of support through every OS out there; you need to > have a tun driver, also be able to configure the remote side > interface, not to mention the local one. >
it is supported by every common OS out there except Windows. it does work with OpenBSD, NetBSD, FreeBSD, Darwin, Mac OS X, Linux, ... my collegues are using it on Mac OS 10.4 "tiger". it is required to install the latest openssh from source, because the shipped version was too old, and a tun/tap driver from http://www-user.rhrk.uni-kl.de/~nissler/tuntap/ i didn't test it with the latest 10.5 release yet, but apple updated to a patched version of OpenSSH 4.5 and it seems that tun support is enabled in the official build; you may still need the external tun/tap driver to use it (i will test it next year... http://www.opensource.apple.com/darwinsource/10.5/OpenSSH-87/ > Then there are the additional protocol resend problems due to it using > tcp for a transport layer. For short, non-lossy, hops, this isn't a > big deal. For lossy environments (wireless, long distances, satellite, > asymmetrical routes, etc), the resending of tcp packets due to packet > loss and fragmentation makes it a non-viable solution. At least, for > anything that's going to be constant or continually used. > it is a pragmatic approach - if you need a permanent VPN tunnel, you should use IPsec between two OpenBSD-based gateways. but we have a very good experience with using SSH-VPN for roaming "laptop" users and it is even a big benefit to run it over TCP; you can use it almost everywhere, it is less filtered than UDP or ESP, and you can even tunnel it through HTTP proxies. and all the theoretical issues don't really affect real world use, at least from my experience. > I'd also not use that with clients who're less technically adept. > i do. it is a simple shell script calling "sudo ssh ssh-gateway", you can pre-configure everything in "/var/root/.ssh/config" and assign a fancy icon to the shell command. reyk