[talk] VPNs: Choosing between OpenVPN and L2TP/IPsec

Isaac (.ike) Levy ike at blackskyresearch.net
Sun Apr 19 19:33:37 EDT 2015

On 04/19/15 19:02, Charles Sprickman wrote:
> On Apr 19, 2015, at 6:14 PM, Justin Sherrill
> <justin at shiningsilence.com> wrote:
>> On Sun, Apr 19, 2015 at 1:29 PM, Isaac (.ike) Levy 
>> <ike at blackskyresearch.net> wrote:
>> I have the same dilemma at work; we've used SSTP for some Windows 
>> machines, but that's it.  I have used OpenVPN with a Mac client, as
>> a test.  The default client isn't something I'd want to give to 
>> non-technical users, but I haven't gone past that to any sort of 
>> deployment.
>> So, this isn't a helpful answer; it's a "me too”.
> “Me too”. :)

Awwww man...

> I steered away from IPSEC since it seems like something that’s very
> easy for a poorly-managed hotel wifi service or similar to break, but
> maybe the “L2TP” part does away with that (no GRE needed?).

Well, not really- it basically makes things a bit more complicated even.

The L2TP part rides on top of IPSec, so all the IPSec tunnel/connection
problems exist, just like they always have.

The L2TP part adds another layer of complexity for the actual networking

This particular aspect of L2TP make want to go toward OpenVPN right out
the gate.

> OpenVPN has mostly served me well - at the very least it’s pretty
> easy to have it listen on TCP 443 and be able to reach it from all
> but the most draconian public wifi hotspots.

Yep, same experience here...

>  And if you’re scared of
> OpenSSL, FreeBSD at least offers the opportunity to use PolarSSL in
> the port.

Interesting.  Is this it:
"mbed TLS (formerly known as PolarSSL)"

But my target audience are Macs, so this appears moot.  Wah.

> The downside is the really big one for the non-tech users or users
> with their own devices - it’s not built-in to anything, so they have
> to grab a client.

Hrm... In practice, since I'll be generating/distributing cert material
and configs to load, distributing the software isn't that hard either.

>  I’ve had little experience on the windows side,
> but on OS-X, I use Viscosity and Tunnelblick.  Viscosity is a paid
> ($10?) app that’s somewhat slick, Tunnelblick is free.  Sadly, I find
> them both equally spotty at times.  

I find them roughly the same in use experience, do you know any really
compelling real-world features that make Viscosity worth the $10?

Since Viscosity requires a licence, that actually adds one more barrier
to deploy across my group- one more unique thing to distribute to users...

> Both tend to sometimes leave the
> network config in an odd state after abrupt disconnects, which means
> your end users need to know when to turn their wifi on/off or
> plug/unplug their ethernet cable to regain their normal internet
> connection.

Understood, and in my experience on Macs, the same is true with the
L2TP/IPSec setup.

> OpenVPN also has that sort of TrueCrypt “who makes this and why?”
> aspect to it, and I cannot think of a single commercial
> networking/security firm that includes OpenVPN alongside other VPN
> options.

Now this topic I'd *love* to hear more about, seeing as this issue
really is at the heart of why to use VPN's in the first place...

Charles (or all), have you seen any good discussions or analysis of this
online, or do you have thoughts on it?

> On the plus side, if you run pfsense as the server, the certificate
> management and the openvpn client config exporter are pretty nice.
> You can fetch a ready-made zip for either tunnelblick or viscosity
> from the pfsense GUI.

Yeah- at least one thing has changed for the better in the last decade:
automation in config is now the norm, not the exception- across the board.


More information about the talk mailing list