[talk] VPNs: Choosing between OpenVPN and L2TP/IPsec

Nikolai Fetissov nikolai at fetissov.org
Mon Apr 20 13:49:23 EDT 2015


Ike,

Definitely go with OpenVPN for roaming users. It's just way easier then anything else. Clients for all relevant platforms are free (use tunnelblick on Mac: https://code.google.com/p/tunnelblick/), there's even a free iPhone app.
You would need to manage the certs and crls, but that comes required with any of your contenders.
OpenVPN at least gives you a nice set of tools to do this with easyrsa.
Use default UDP transport. It's way faster then doing the same over TCP.

I have the server side running on open with chroot and privsep, and custom krb5 auth, which I'm too lazy to clean up and submit as a package.

Cheers,
--
 Nikolai


> On Apr 19, 2015, at 1:29 PM, Isaac (.ike) Levy <ike at blackskyresearch.net> wrote:
> 
> Hi All,
> 
> So I thought folks here may have words on a topic which has hit this
> list in years past: VPN choices.
> 
> Choices are great, but now I'm trying to choose one. :)
> 
> Until recently I've been able to escape the complexity altogether, but
> now I have need to roll out and manage roving VPN connectivity, and I'm
> in a quandary with which tech to start with- and would love to hear any
> experiences or tid-bits on each.
> 
> THE CHOICES, AS I SEE IT
> --
> 
> PPTP - off the table, deader than dead.
> 
> L2TP/IPsec - Contender
> + easy/reliable cert-based client integration (mostly Macs for my world)
> + well worn (many platforms, many years now)
> - IPsec traffic hassles from clients in restrictive/unreliable networks
> - These days I shy away from the muddled state of IPsec (1)
> - Troubleshooting issues: difficult, complex and opaque in tooling.
> 
> OpenVPN - Contender
> + Robust reliability on restrictive/unreliable networks
> + Clear cert-based client integration on many platforms
> - Needs third party software for most user applications
> - less well worn (some sharp edges here and there for users)
> + and -, SSL based crypto transport
> - OpenSSL base, (2)
> 
> 
> ENDLESS QUESTIONS
> ---
> What's it like for users these days?
> What's it like for administrators these days?
> Multi-factor auth?  Key management?
> What networking 'gotchas' are folks dealing with?
> Anyone rockin' IPv6 inside/outside their tunnls (I'll be trying...)?
> What crypto concerns do folks here have?
> 
> Even anecdotes about life with commercial products at either end is
> informative, although I'm obviously interested in open tech.
> 
> Best,
> .ike
> 
> 
> 
> --
> Footnotes:
> 1) IPsec is awesome, but lets face it, also muddled.  It's not
> unreasonable that some major flaw could be discovered which exposes a
> fundamental flaw or even intentional backdoor in coming years:
> http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html
> For the time being, IPsec holds strong with no known weaknesses- but
> even the fact that it was backported from IPv6 bits makes it even more
> complicated to keep track of...
> 
> 2) LibreSSL, BoringSSL, and good ol' OpenSSL- a discussion deserving
> it's own thread :)
> http://www.libressl.org/
> http://article.gmane.org/gmane.os.openbsd.tech/37174
> https://boringssl.googlesource.com/boringssl/
> https://www.openssl.org/
> 
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20150420/6d4a9fbd/attachment.htm>


More information about the talk mailing list