[TriLUG] linode, VPN, SSH
Ken Mink
ken.mink at gmail.com
Thu Aug 28 11:09:11 EDT 2014
On 08/28/2014 11:00 AM, Kevin Otte wrote:
> OpenVPN can be run without any encryption. It will bark at you, but it
> will run.
>
> For my IPv6 lab I just use the static key mode. Unlike TLS, if that key
> is ever compromised, all previous traffic could be decrypted. I mostly
> use it as an authentication layer (yes, this is my lab) and the weaker
> encryption is just a side bonus.
>
> I think the screwier part of this whole scenario is the requirement of a
> static endpoint address for a piece of software that was *designed* for
> roaming access. Sounds like someone got their SHOULD and MUST (RFC
> terms) conflated.
>
> -- Kevin
>
> On 08/27/2014 05:23 PM, Igor Partola wrote:
>
>> 4. Let's pause and thing about how insane this situation is: we are talking
>> about wrapping an encrypted SSH connection into an SSL VPN connection,
>> which will then be wrapped into an OpenVPN connection? SECOORITY!
While I agree that this will work, I question the need for OpenVPN at
all. From what I know about SSL based VPNs, they use a single port for
access. Could he not set up iptables rules on the VPS to forward, with
NAT, traffic from his home ip to the VPN host for the VPN port? The
rules could contain a source ip so that the VPS would do this for his
home ip only. When Tom fired up Firefox to connect to the VPN at home it
went to the VPS, got forwarded and NAT'ed to the VPN host. A simple
addition to /etc/hosts at home would send the traffic for the VPN host
to the VPS machine.
Ken
More information about the TriLUG
mailing list