|
|
>> > I fully agree with this. Try to make it use only ONE port. >> No, please don't. >> Don't add complexity (especially to a security product) as long as >> it is not essentially needed. >I agree with this too. >Iīve been using OpenVPN for net-to-net vpns for quite a while, and >really enjoy that itīs such a small, simple software, but still >has all the required security features. >But as I have started to use it for "roadwarrier" configurations >Iīve found not beeing able to use a singe port a problem. Agree. We use it for a "roadworriar" config and the port thing is a major pain. Now each laptop needs a key and a seperate port and openvpn process waiting all the time (Ok, we could use xinetd). Net-to-net is OK this way, but for roadworriars it seems kludgy. But OpenVPN is the best and most reliable unobfusticated VPN package available - period (IMHO). I hate ipSec. Lots of services multiplex over a port - and don't suffer from myriad security problems because of it. >So, of cource, one has to weight the added complexity and increased >risk of adding a bug with the added usability. >If the goal of OpenVPN is to do net-to-net vpns and small (1-10 users) >road warrier setups, then I agree, donīt add the this complexity. >But if the goal is that OpenVPN should work well with hundreds of >roadwarriors, then I think multiplexing the sessions over a >single port is necessary. I'd like it to support larger more complex setups or we'll eventually have to ditch it and go back to PPTP :(. But I'm just one lowly admin guy. |