[talk] VPNs: Choosing between OpenVPN and L2TP/IPsec

Charles Sprickman spork at bway.net
Tue Apr 21 00:59:48 EDT 2015 

On Apr 20, 2015, at 11:41 PM, Isaac (.ike) Levy <ike at blackskyresearch.net> wrote:

> On 04/20/15 13:49, Nikolai Fetissov wrote:
>> Ike,
>> 
>> Definitely go with OpenVPN for roaming users. It's just way easier
>> then anything else. Clients for all relevant platforms are free (use
>> tunnelblick on Mac: https://code.google.com/p/tunnelblick/), there's
>> even a free iPhone app. You would need to manage the certs and crls,
>> but that comes required with any of your contenders. OpenVPN at least
>> gives you a nice set of tools to do this with easyrsa. Use default
>> UDP transport. It's way faster then doing the same over TCP.
> 
> Ah, but one slick trick I learned from a fine Op today: running an
> additional server on port 443/TCP is extremely useful for the road
> warrior thing...
> 
> But yeah- they reported severe degredation on lousy networks, e.g. may
> as well be trying to pummel ssh tunnels with less management pain…

Im late to the "work at starbucks" party (actually here in the
hinterlands, its usually Panera Bread), but recently I’ve been doing
that sort of thing to try to get rid of some of the
distractions/boredom of working on the couch.

I’ve been trying to ramp up my wifi knowledge for various projects,
and what I’m realizing as I sample various free wifi options is that
its really evolved - a decade ago, Id be bitching about a whole cafe
sharing a measly T1.  Now I’m bitching about the latency, jitter and
loss on that first hop (wireless).  Fun fact - with the right number
of devices with marginal connections, you can render a single AP
basically useless.  Im going to blame all the smartphones.  Too many
people assume wifi is simple or that the laws of physics don’t apply
because THE INTERNET or something.

Ah, my point, dont necessarily blame the VPN, its just amplifying
the crappiness, which any tunnel will do.

My best free tip is that if your users are cable subscribers and are
therefore able to use the Comcast/TWC/Cablevision public APs for
free, that’s often a great option when the cafe, hotel, or whatever
other wifi is acting up - pull up the provider’s map, and get near
a window facing the closest AP.  Those things seem to be uncongested
in general.  I just did this today - the Panera wifi had an RSSI of
-50db, which is great, but meaningless.  Packet loss was around 15%
and I’m trying to type in iterm+tmux ssh sessions over a TCP openvpn
connection - painful.  Flipped to a comcast node and it was like I was
the only one on it.

C

>> 
>> I have the server side running on open with chroot and privsep, and
>> custom krb5 auth, which I'm too lazy to clean up and submit as a
>> package.
>> 
>> Cheers, -- Nikolai
> 
> Ha- I'd love to hear your krb notes sometime, (though that begs my next
> question coming to list)....
> 
> Best,
> .ike
> 
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk

More information about the talk mailing list