LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Press page

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Deploying a VPN with PKI (O'ReillyNet)

[Posted October 22, 2004 by ris]

O'ReillyNet presents a tutorial on deploying a VPN using OpenVPN and OpenSSL. "The tutorial implements a certificate-based security infrastructure using OpenSSL and uses this to secure both OpenVPN client and server endpoints. We will highlight two great new features to appear in OpenVPN-2.0 (now in beta) that will make it a good choice for any VPN--single-instance server mode and certificate revocation list support."
(Log in to post comments)

Deploying a VPN with PKI (O'ReillyNet)

Posted Oct 22, 2004 20:25 UTC (Fri) by NightMonkey (subscriber, #23051) [Link]

OK, I admit it. I skimmed this article. But I must point out, that for many smaller networks (and maybe a few big ones), there is no need to make things so complicated to have a sensible amount of security for remote connections. Presenting...

ssh -D <SSHhost> &

This creates a SOCKS Proxy server (at localhost:1080) which communicates over the SSH channel. I've used it to secure browsing, e-mail and many other services. And, if you install Dante SOCKS Proxy Server, you get the command "socksify". This allows you to proxy many programs that don't have native SOCKS code, and can be used with any proxy server (not just Dante).

After setting up the ssh SOCKS proxy, you'd use socksify like so:

socksify emerge sync (Gentoo Portage sync proxying)
socksify lynx http://www.lwn.net/ (lynx has socks support, but you get the idea)

Seems a lot easier to me than all that SSL complexity. Yes, you can change your SSH keys every day or every hour if you want the additional "job security". You can change your users passwords often, too (if you are allowing passphrase logins via SSH). You can also restrict SSH shell access. It's all there... I just wonder why more people and organizations don't use it. Is there something I'm missing in this model? Besides unnecessary overhead?

Deploying a VPN with PKI (O'ReillyNet)

Posted Oct 23, 2004 1:46 UTC (Sat) by dskoll (subscriber, #1630) [Link]

Is there something I'm missing in this model?

Yes. Putting the encryption at the network layer rather than the transport layer makes a lot of things very convenient. You can read your mail, browse Intranet sites, etc. remotely just as you would on-site. You don't need any proxies. Everything just works.

OpenVPN is dead-simple to set up; certainly far less headache than IPSec.

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds