On Sun, Dec 23, 2007 at 09:04:08AM -0800, johan beisser wrote:
> My complaint with the "-w" option is not a lack of it working (works
> great), but lack of support through every OS out there; you need to
> have a tun driver, also be able to configure the remote side
> interface, not to mention the local one.
>
it is supported by every common OS out there except Windows. it does
work with OpenBSD, NetBSD, FreeBSD, Darwin, Mac OS X, Linux, ...
my collegues are using it on Mac OS 10.4 "tiger". it is required to
install the latest openssh from source, because the shipped version
was too old, and a tun/tap driver from
http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
i didn't test it with the latest 10.5 release yet, but apple updated
to a patched version of OpenSSH 4.5 and it seems that tun support is
enabled in the official build; you may still need the external tun/tap
driver to use it (i will test it next year...
http://www.opensource.apple.com/darwinsource/10.5/OpenSSH-87/
> Then there are the additional protocol resend problems due to it using
> tcp for a transport layer. For short, non-lossy, hops, this isn't a
> big deal. For lossy environments (wireless, long distances, satellite,
> asymmetrical routes, etc), the resending of tcp packets due to packet
> loss and fragmentation makes it a non-viable solution. At least, for
> anything that's going to be constant or continually used.
>
it is a pragmatic approach - if you need a permanent VPN tunnel, you
should use IPsec between two OpenBSD-based gateways. but we have a
very good experience with using SSH-VPN for roaming "laptop" users and
it is even a big benefit to run it over TCP; you can use it almost
everywhere, it is less filtered than UDP or ESP, and you can even
tunnel it through HTTP proxies. and all the theoretical issues don't
really affect real world use, at least from my experience.
> I'd also not use that with clients who're less technically adept.
>
i do. it is a simple shell script calling "sudo ssh ssh-gateway", you
can pre-configure everything in "/var/root/.ssh/config" and assign a
fancy icon to the shell command.
reyk
