[talk] VPNs: Choosing between OpenVPN and L2TP/IPsec

Charles Sprickman spork at bway.net
Sun Apr 19 19:02:13 EDT 2015

On Apr 19, 2015, at 6:14 PM, Justin Sherrill <justin at shiningsilence.com> wrote:

> On Sun, Apr 19, 2015 at 1:29 PM, Isaac (.ike) Levy
> <ike at blackskyresearch.net> wrote:
> I have the same dilemma at work; we've used SSTP for some Windows
> machines, but that's it.  I have used OpenVPN with a Mac client, as a
> test.  The default client isn't something I'd want to give to
> non-technical users, but I haven't gone past that to any sort of
> deployment.
> So, this isn't a helpful answer; it's a "me too”.

“Me too”. :)

I steered away from IPSEC since it seems like something that’s very easy for a poorly-managed hotel wifi service or similar to break, but maybe the “L2TP” part does away with that (no GRE needed?).

OpenVPN has mostly served me well - at the very least it’s pretty easy to have it listen on TCP 443 and be able to reach it from all but the most draconian public wifi hotspots.  And if you’re scared of OpenSSL, FreeBSD at least offers the opportunity to use PolarSSL in the port.

The downside is the really big one for the non-tech users or users with their own devices - it’s not built-in to anything, so they have to grab a client.  I’ve had little experience on the windows side, but on OS-X, I use Viscosity and Tunnelblick.  Viscosity is a paid ($10?) app that’s somewhat slick, Tunnelblick is free.  Sadly, I find them both equally spotty at times.  Both tend to sometimes leave the network config in an odd state after abrupt disconnects, which means your end users need to know when to turn their wifi on/off or plug/unplug their ethernet cable to regain their normal internet connection.

OpenVPN also has that sort of TrueCrypt “who makes this and why?” aspect to it, and I cannot think of a single commercial networking/security firm that includes OpenVPN alongside other VPN options.

On the plus side, if you run pfsense as the server, the certificate management and the openvpn client config exporter are pretty nice.  You can fetch a ready-made zip for either tunnelblick or viscosity from the pfsense GUI.


> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk

More information about the talk mailing list