Re: ssh tunnels or openvpn/IPsec?
Thanks to everybody who contributed to this thread. It is valuable. Regards. Johann
Re: ssh tunnels or openvpn/IPsec?
Normally for ssh tunnels I use -D which creates a local socks tunnel listener (i.e -D1080) and means you can do away with manual port forwards, you can then use a sockswrapper (tsocks/dsocks) pointing at localhost to transparently proxify most applications. Note that for UDP based things neither -L or -D works (you have to use ssh's VPN mode for that). Since remote syslog is UDP by default this means ssh isn't a great option (you can tunnel it via nc etc but... anoying to setup). On 10 May 2015 at 16:15, Joel Wirāmu Pauling wrote: > Also consider tincd > > On 10 May 2015 at 04:51, Bonno Bloksma wrote: > >> Hello Peter >> >> >> >> Petter Adsen wrote: >> >> > Now the question becomes; AFAIK, I could do this with ssh tunnels >> >> > and forward the ports on my router/firewall, or I could use >> >> > something like openvpn or IPsec (strongswan). >> >> >> >> Yes. Exactly. >> >> >> >> Also 'stunnel4' is useful too. >> > >> > Thanks, I didn't know about that one. >> > >> > [] >> > >> > Thank you for your insight, that was very informative. From what I >> > gather from this, it might be just as well to go straight to openvpn. >> > >> > Let me explain. Already I need rsyslog, munin, and collectd. That would >> > require three separate ssh/ssl tunnels. However, if I set up openvpn on >> > the router I will just need the one tunnel, and I can set up remote >> > access to my home network at the same time, with the same bits and >> pieces. >> >> [...] >> >> > One thing I forgot to ask, though: how intensive is openvpn on >> resources, >> > especially CPU and memory? I was initially thinking of setting it up on >> the >> > router, but I am a little worried that it might be too much for it to >> handle. >> > Would it be feasible/better to set it up on a more powerful machine on >> the >> > inside and forward the traffic? >> >> Lots of people set up open vpn on the router if the router is capable of >> it. In your case the amount of traffic is definitely something a regular >> router should be able to handle. The most cpu is used when openvpn >> (re)negotiates a session key which is does by default every hour. >> If you find out you need more power simply create a rule on your router >> to forward udp 1194 to an inside machine and have openvpn running there. >> >> It is very easy to setup, for ssl keys there is a separate set of scripts >> called easy-rsa that will let you create the keys with the proper settings >> in no-time. >> >> If you want information more about openvpn use the openvpn users list ( >> openvpn-us...@lists.sourceforge.net) >> There is a commercial version too which has commercial support but you >> want the community version which comes with Debian. >> >> Bonno Bloksma >> >> >> -- >> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org >> with a subject of "unsubscribe". Trouble? Contact >> listmas...@lists.debian.org >> Archive: >> https://lists.debian.org/89d1798a7351d040b4e74e0a043c69d7d72e1...@hglexch-01.tio.nl >> >> >
Re: ssh tunnels or openvpn/IPsec?
Also consider tincd On 10 May 2015 at 04:51, Bonno Bloksma wrote: > Hello Peter > > > >> Petter Adsen wrote: > >> > Now the question becomes; AFAIK, I could do this with ssh tunnels > >> > and forward the ports on my router/firewall, or I could use > >> > something like openvpn or IPsec (strongswan). > >> > >> Yes. Exactly. > >> > >> Also 'stunnel4' is useful too. > > > > Thanks, I didn't know about that one. > > > > [] > > > > Thank you for your insight, that was very informative. From what I > > gather from this, it might be just as well to go straight to openvpn. > > > > Let me explain. Already I need rsyslog, munin, and collectd. That would > > require three separate ssh/ssl tunnels. However, if I set up openvpn on > > the router I will just need the one tunnel, and I can set up remote > > access to my home network at the same time, with the same bits and > pieces. > > [...] > > > One thing I forgot to ask, though: how intensive is openvpn on resources, > > especially CPU and memory? I was initially thinking of setting it up on > the > > router, but I am a little worried that it might be too much for it to > handle. > > Would it be feasible/better to set it up on a more powerful machine on > the > > inside and forward the traffic? > > Lots of people set up open vpn on the router if the router is capable of > it. In your case the amount of traffic is definitely something a regular > router should be able to handle. The most cpu is used when openvpn > (re)negotiates a session key which is does by default every hour. > If you find out you need more power simply create a rule on your router to > forward udp 1194 to an inside machine and have openvpn running there. > > It is very easy to setup, for ssl keys there is a separate set of scripts > called easy-rsa that will let you create the keys with the proper settings > in no-time. > > If you want information more about openvpn use the openvpn users list ( > openvpn-us...@lists.sourceforge.net) > There is a commercial version too which has commercial support but you > want the community version which comes with Debian. > > Bonno Bloksma > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > https://lists.debian.org/89d1798a7351d040b4e74e0a043c69d7d72e1...@hglexch-01.tio.nl > >
Re: ssh tunnels or openvpn/IPsec?
Bob Proulx a écrit : > > Both ssh and stunnel use TCP which means that in terms of ultimate > performance and ultimate efficiency you are ending up with TCP over > TCP and that isn't perfect. SSH local or remote port forwarding (-L/-R) does stream forwarding ; it is not a layer-3 tunnel (-w), so does not have the disadvantages of TCP over TCP. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/554f220d.3050...@plouf.fr.eu.org
RE: ssh tunnels or openvpn/IPsec?
Hello Peter >> Petter Adsen wrote: >> > Now the question becomes; AFAIK, I could do this with ssh tunnels >> > and forward the ports on my router/firewall, or I could use >> > something like openvpn or IPsec (strongswan). >> >> Yes. Exactly. >> >> Also 'stunnel4' is useful too. > > Thanks, I didn't know about that one. > > [] > > Thank you for your insight, that was very informative. From what I > gather from this, it might be just as well to go straight to openvpn. > > Let me explain. Already I need rsyslog, munin, and collectd. That would > require three separate ssh/ssl tunnels. However, if I set up openvpn on > the router I will just need the one tunnel, and I can set up remote > access to my home network at the same time, with the same bits and pieces. [...] > One thing I forgot to ask, though: how intensive is openvpn on resources, > especially CPU and memory? I was initially thinking of setting it up on the > router, but I am a little worried that it might be too much for it to handle. > Would it be feasible/better to set it up on a more powerful machine on the > inside and forward the traffic? Lots of people set up open vpn on the router if the router is capable of it. In your case the amount of traffic is definitely something a regular router should be able to handle. The most cpu is used when openvpn (re)negotiates a session key which is does by default every hour. If you find out you need more power simply create a rule on your router to forward udp 1194 to an inside machine and have openvpn running there. It is very easy to setup, for ssl keys there is a separate set of scripts called easy-rsa that will let you create the keys with the proper settings in no-time. If you want information more about openvpn use the openvpn users list (openvpn-us...@lists.sourceforge.net) There is a commercial version too which has commercial support but you want the community version which comes with Debian. Bonno Bloksma -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/89d1798a7351d040b4e74e0a043c69d7d72e1...@hglexch-01.tio.nl
Re: ssh tunnels or openvpn/IPsec?
On Sat, 9 May 2015 18:49:27 -0600 Bob Proulx wrote: > Petter Adsen wrote: > > Now the question becomes; AFAIK, I could do this with ssh tunnels > > and forward the ports on my router/firewall, or I could use > > something like openvpn or IPsec (strongswan). > > Yes. Exactly. > > Also 'stunnel4' is useful too. Thanks, I didn't know about that one. > I would avoid IPsec. Last I looked there were more than 55 RFCs that > had some impact on IPsec. It has traditionally been rather of a messy > thing. Urgh, that sounds painful. I think I will steer clear of that, then. That would also explain why there is so little info on it on both the Debian and the Arch wikis. > > The problem is that I haven't really messed with any of these before > > - what would be the best choice in this situation? > > > > Note that I'm not asking for a complete configuration, all I want is > > some advice as to which of these technologies I should begin to > > read up on. The IPsec article on the Debian wiki is from Sarge, so > > it is quite outdated, but the openvpn article is recent and seems > > helpful. > > > > Any insights/advice/links, etc? > > Using ssh tunnels will get you 80% with 20% of the work. Using > OpenVPN will get you 100% with 100% of the work. Using 'autossh' to > manage ssh tunnels is very reliable to run and very quick and easy to > set up. > > I use all of autossh/ssh tunnels, stunnel4, openvpn in different > places. I tend to like and use the autossh/ssh tunnels because they > are quick and easy and work well enough that I can move along to > something else without spending a lifetime managing them. It doesn't > require any routing table modifications. Not requiring explicit routing is a bonus, but not really a dealbreaker for me. Besides, I am sure the Debian wiki will give me enough hints to get it right. > I like stunnel4 for some things because it also is very easy to set up > and very reliable. Either ssh or stunnel would seem to be good simple > effective choices for remote sysloging. I might lean toward stunnel > for this. It all depends. Using stunnel benefits if you have signed > https ssl certificates already that can be verified by stunnel. I don't already have certificates, so I would need to generate some. As I already have a little experience with ssh and keys, it would probably be a wiser choice. > Both ssh and stunnel use TCP which means that in terms of ultimate > performance and ultimate efficiency you are ending up with TCP over > TCP and that isn't perfect. TCP over TCP will use some resources and > time transporting packets somewhat inefficiently. I think for your > example of using remote syslog logging I wouldn't worry about it. It > is a non-interactive task and the machines won't care when talking to > each other. No one will ever notice the inefficiency. > > When operating interactively such as working from my laptop to my > remote servers I am usually interactive. That is when transport > artifacts of latency become noticeable and annoying. There I have put > in the extra work to set up openvpn for the 100% solution. It uses > UDP for the transport avoiding the TCP over TCP issues. It is more > work to set up initially due to dealing with setting up ssl > certificates and routing. But having set it up it is a high > performance solution that does 100% of the job. > > I would probably start your remote syslog task using autossh/ssh and > then worry about doing something more when the need for more arises > and not before. Thank you for your insight, that was very informative. From what I gather from this, it might be just as well to go straight to openvpn. Let me explain. Already I need rsyslog, munin, and collectd. That would require three separate ssh/ssl tunnels. However, if I set up openvpn on the router I will just need the one tunnel, and I can set up remote access to my home network at the same time, with the same bits and pieces. Actually, I won't even need to set up anything special to reach my home network, as I would be able to reach it from the VPS - which already has ssh open. The need to reach my home network is already here, as I don't really have a good way of doing it currently. One thing I forgot to ask, though: how intensive is openvpn on resources, especially CPU and memory? I was initially thinking of setting it up on the router, but I am a little worried that it might be too much for it to handle. Would it be feasible/better to set it up on a more powerful machine on the inside and forward the traffic? And again - thanks, Bob. Petter -- "I'm ionized" "Are you sure?" "I'm positive." pgpqAhmga5tlg.pgp Description: OpenPGP digital signature
Re: ssh tunnels or openvpn/IPsec?
Petter Adsen wrote: > Now the question becomes; AFAIK, I could do this with ssh tunnels and > forward the ports on my router/firewall, or I could use something like > openvpn or IPsec (strongswan). Yes. Exactly. Also 'stunnel4' is useful too. I would avoid IPsec. Last I looked there were more than 55 RFCs that had some impact on IPsec. It has traditionally been rather of a messy thing. > The problem is that I haven't really messed with any of these before > - what would be the best choice in this situation? > > Note that I'm not asking for a complete configuration, all I want is > some advice as to which of these technologies I should begin to read up > on. The IPsec article on the Debian wiki is from Sarge, so it is quite > outdated, but the openvpn article is recent and seems helpful. > > Any insights/advice/links, etc? Using ssh tunnels will get you 80% with 20% of the work. Using OpenVPN will get you 100% with 100% of the work. Using 'autossh' to manage ssh tunnels is very reliable to run and very quick and easy to set up. I use all of autossh/ssh tunnels, stunnel4, openvpn in different places. I tend to like and use the autossh/ssh tunnels because they are quick and easy and work well enough that I can move along to something else without spending a lifetime managing them. It doesn't require any routing table modifications. I like stunnel4 for some things because it also is very easy to set up and very reliable. Either ssh or stunnel would seem to be good simple effective choices for remote sysloging. I might lean toward stunnel for this. It all depends. Using stunnel benefits if you have signed https ssl certificates already that can be verified by stunnel. Both ssh and stunnel use TCP which means that in terms of ultimate performance and ultimate efficiency you are ending up with TCP over TCP and that isn't perfect. TCP over TCP will use some resources and time transporting packets somewhat inefficiently. I think for your example of using remote syslog logging I wouldn't worry about it. It is a non-interactive task and the machines won't care when talking to each other. No one will ever notice the inefficiency. When operating interactively such as working from my laptop to my remote servers I am usually interactive. That is when transport artifacts of latency become noticeable and annoying. There I have put in the extra work to set up openvpn for the 100% solution. It uses UDP for the transport avoiding the TCP over TCP issues. It is more work to set up initially due to dealing with setting up ssl certificates and routing. But having set it up it is a high performance solution that does 100% of the job. I would probably start your remote syslog task using autossh/ssh and then worry about doing something more when the need for more arises and not before. Bob signature.asc Description: Digital signature
