[talk] VPNs: Choosing between OpenVPN and L2TP/IPsec

Darryl Wisneski ski at skicentral.tv
Mon Apr 20 18:20:00 EDT 2015 

On Sun, Apr 19, 2015 at 07:33:37PM -0400, Isaac (.ike) Levy wrote:
> On 04/19/15 19:02, Charles Sprickman wrote:
> > 
> > OpenVPN has mostly served me well - at the very least it’s pretty
> > easy to have it listen on TCP 443 and be able to reach it from all
> > but the most draconian public wifi hotspots.
> 
> Yep, same experience here...
> 
> But my target audience are Macs, so this appears moot.  Wah.
> 
> > The downside is the really big one for the non-tech users or users
> > with their own devices - it’s not built-in to anything, so they have
> > to grab a client.
> 
> Hrm... In practice, since I'll be generating/distributing cert material
> and configs to load, distributing the software isn't that hard either.
> 
> >  I’ve had little experience on the windows side,
> > but on OS-X, I use Viscosity and Tunnelblick.  Viscosity is a paid
> > ($10?) app that’s somewhat slick, Tunnelblick is free.  Sadly, I find
> > them both equally spotty at times.  
> 
> I find them roughly the same in use experience, do you know any really
> compelling real-world features that make Viscosity worth the $10?
> 
> Since Viscosity requires a licence, that actually adds one more barrier
> to deploy across my group- one more unique thing to distribute to users...
> 
> > Both tend to sometimes leave the
> > network config in an odd state after abrupt disconnects, which means
> > your end users need to know when to turn their wifi on/off or
> > plug/unplug their ethernet cable to regain their normal internet
> > connection.
> 
> Understood, and in my experience on Macs, the same is true with the
> L2TP/IPSec setup.

Viscosity worked a lot better than tunnelblick at zero-configuration
magic and roadwarrioring; it required a lot less rebooting as viscosity
got confused less.  Having flat DNS (no private DNS) helped too, and not
pushing DNS to the client, but that is really bad for sane security minds.
If you can keep the VPN setup to a single tunnel you will have greater
stability.

The openvpn windows client worked well enough in the little time devoted
to supporting it.   

We had a script that bundled the client and cert together and the user
could one-time download it.

> 
> > 
> > OpenVPN also has that sort of TrueCrypt “who makes this and why?”
> > aspect to it, and I cannot think of a single commercial
> > networking/security firm that includes OpenVPN alongside other VPN
> > options.
> 

I considered it to be a feature that ios and android users couldn't get
a tun interface easily.  It appears that has changed.

-dkw

More information about the talk mailing list