<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div></div><div>Ike,</div><div><br></div><div>Definitely go with OpenVPN for roaming users. It's just way easier then anything else. Clients for all relevant platforms are free (use tunnelblick on Mac: <a href="https://code.google.com/p/tunnelblick/">https://code.google.com/p/tunnelblick/</a>), there's even a free iPhone app.</div><div>You would need to manage the certs and crls, but that comes required with any of your contenders.</div><div>OpenVPN at least gives you a nice set of tools to do this with easyrsa.</div><div>Use default UDP transport. It's way faster then doing the same over TCP.</div><div><br></div><div>I have the server side running on open with chroot and privsep, and custom krb5 auth, which I'm too lazy to clean up and submit as a package.</div><div><br></div><div>Cheers,</div><div>--</div><div> Nikolai</div><div><br></div><div><br>On Apr 19, 2015, at 1:29 PM, Isaac (.ike) Levy <<a href="mailto:ike@blackskyresearch.net">ike@blackskyresearch.net</a>> wrote:<br><br></div><blockquote type="cite"><div><span>Hi All,</span><br><span></span><br><span>So I thought folks here may have words on a topic which has hit this</span><br><span>list in years past: VPN choices.</span><br><span></span><br><span>Choices are great, but now I'm trying to choose one. :)</span><br><span></span><br><span>Until recently I've been able to escape the complexity altogether, but</span><br><span>now I have need to roll out and manage roving VPN connectivity, and I'm</span><br><span>in a quandary with which tech to start with- and would love to hear any</span><br><span>experiences or tid-bits on each.</span><br><span></span><br><span>THE CHOICES, AS I SEE IT</span><br><span>--</span><br><span></span><br><span>PPTP - off the table, deader than dead.</span><br><span></span><br><span>L2TP/IPsec - Contender</span><br><span>+ easy/reliable cert-based client integration (mostly Macs for my world)</span><br><span>+ well worn (many platforms, many years now)</span><br><span>- IPsec traffic hassles from clients in restrictive/unreliable networks</span><br><span>- These days I shy away from the muddled state of IPsec (1)</span><br><span>- Troubleshooting issues: difficult, complex and opaque in tooling.</span><br><span></span><br><span>OpenVPN - Contender</span><br><span>+ Robust reliability on restrictive/unreliable networks</span><br><span>+ Clear cert-based client integration on many platforms</span><br><span>- Needs third party software for most user applications</span><br><span>- less well worn (some sharp edges here and there for users)</span><br><span>+ and -, SSL based crypto transport</span><br><span>- OpenSSL base, (2)</span><br><span></span><br><span></span><br><span>ENDLESS QUESTIONS</span><br><span>---</span><br><span>What's it like for users these days?</span><br><span>What's it like for administrators these days?</span><br><span>Multi-factor auth?  Key management?</span><br><span>What networking 'gotchas' are folks dealing with?</span><br><span>Anyone rockin' IPv6 inside/outside their tunnls (I'll be trying...)?</span><br><span>What crypto concerns do folks here have?</span><br><span></span><br><span>Even anecdotes about life with commercial products at either end is</span><br><span>informative, although I'm obviously interested in open tech.</span><br><span></span><br><span>Best,</span><br><span>.ike</span><br><span></span><br><span></span><br><span></span><br><span>--</span><br><span>Footnotes:</span><br><span>1) IPsec is awesome, but lets face it, also muddled.  It's not</span><br><span>unreasonable that some major flaw could be discovered which exposes a</span><br><span>fundamental flaw or even intentional backdoor in coming years:</span><br><span><a href="http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html">http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html</a></span><br><span>For the time being, IPsec holds strong with no known weaknesses- but</span><br><span>even the fact that it was backported from IPv6 bits makes it even more</span><br><span>complicated to keep track of...</span><br><span></span><br><span>2) LibreSSL, BoringSSL, and good ol' OpenSSL- a discussion deserving</span><br><span>it's own thread :)</span><br><span><a href="http://www.libressl.org/">http://www.libressl.org/</a></span><br><span><a href="http://article.gmane.org/gmane.os.openbsd.tech/37174">http://article.gmane.org/gmane.os.openbsd.tech/37174</a></span><br><span><a href="https://boringssl.googlesource.com/boringssl/">https://boringssl.googlesource.com/boringssl/</a></span><br><span><a href="https://www.openssl.org/">https://www.openssl.org/</a></span><br><span></span><br><span>_______________________________________________</span><br><span>talk mailing list</span><br><span><a href="mailto:talk@lists.nycbug.org">talk@lists.nycbug.org</a></span><br><span><a href="http://lists.nycbug.org/mailman/listinfo/talk">http://lists.nycbug.org/mailman/listinfo/talk</a></span><br></div></blockquote></body></html>