> There must be something I'm missing. What's wrong with SSH port > forwarding? It must be able to forward traffic such as web, etc. using > a proxy which listens on localhost:someport and forwards traffic through > the SSH tunnel.
Two reasons: 1. We can't guess all the ports that will need to be forwarded. Today it may just be pop3, smtp, and ftp. Tomorrow they may want to use instant messenger. Then we hit limits on how many ssh processes can actually run on the local machine before it bogs down. 2. We aren't wanting to just secure ports to specific destinations. We want to secure the entire connection. Here's the exact situation. Several guys go on a trip together. They use laptops on free wireless access points to connect to the Internet and to our servers. Wireless is insecure (and it's insecurity is turning into a big business for me). So when they read pop3 email their passwords and account names and entire emails go across the insecure wireless link where everyone can read them (this is just one example of insecure activity, there are many). So we create a vpn connection using the windows vpn client to our server. That works great with one connection. As soon as the second connection fires up the SNATing wireless access point can't keep track of which client the return GRE traffic belongs to and their vpn connections break. So by encapsulating the entire connection in a tcp tunnel with the GRE and company going through it, the wireless access point never sees the GRE or VPN. It just sees the tcp tunnel. I like the openvpn solution proposed. I've used openvpn extensively and like the idea of having it run as a service on the windows computer. I'll just write a gui front end to start it up and shut it down as directed by the end user. It can be configured to forward all traffic down the ssl vpn. And since it's already ssl secured it won't require running the m$ vpn client. Of course for the really paranoid we can still offer that on top of the ssl vpn. Even though I have used openvpn, it was always linux-to-linux, and I didn't even think about using the windows client as a solution for this problem. Thanks for all you guys help! _______________________________________________ msvc mailing list [email protected] See http://beginthread.com/mailman/listinfo/msvc_beginthread.com for subscription changes, and list archive.
