[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Another newbie question


  • Subject: Re: [Openvpn-users] Another newbie question
  • From: xvx <xvx@xxxxxxxx>
  • Date: Thu, 1 May 2003 20:52:50 -0400 (EDT)

Craig,

	The only way i would see doing this is esentially making the two
gateway machines firewalls.  2 NICs, one for the gateway, with an ip
scheme different than the to LANS you are connecting and do NATS on the
other network card.  It would be tricky to setup with routes and all.  In
concept it SHOULD work.

Sean

On Fri, 2 May 2003, Craig Findlay wrote:

>
> ----- Original Message -----
> From: "James Yonan" <jim@xxxxxxxxx>
> To: "Craig Findlay" <craig@xxxxxxxxxxxxx>;
> <openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
> Sent: Thursday, May 01, 2003 12:16 PM
> Subject: Re: [Openvpn-users] Questions from a newbie
>
>
> > Craig Findlay <craig@xxxxxxxxxxxxx> said:
> >
> > > Hi, I am a new user to this list.
> > >
> > > I have been asked to quote on an office to office VPN, and I am
> seriously
> > > thinking of proposing a solution using OpenVPN installed on 2 OpenBSD
> boxes.
> > >
> > > The offices are located in different countries, and one office uses a
> > > Microsoft Small Business network, the other a Novell network. The Novell
> > > office already communicates with other offices in its country using an
> IPSec
> > > based VPN using Cisco products, which was setup by a third party Cisco
> IT
> > > company.
> > >
> > > I am really going out on a limb here in proposing a non-proprietary
> > > solution, and I don't want to end up with egg on my face, or worse, so:
> > >
> > > I am intending to setup and test both boxes locally, and then send one
> over
> > > to the other office, given that the IT person in the remote office does
> not
> > > have any OpenVPN experience. Well neither do I at the moment but from
> what
> > > I've read it seems fairly straightforward to setup. I have a reasonable
> > > amount of experience with using OpenBSD, SSH etc as well as proprietary
> > > host-to-network VPN's such as PPTP, however I don't have any experience
> in
> > > network-to-network VPN's.
> > >
> > > Is OpenVPN robust and stable enough to use in a production environment
> such
> > > as I am proposing?
> >
> >
> > > Are there any known security issues with OpenVPN?
> >
> > Not to my knowledge.  The current OpenVPN security model matured by
> version
> > 1.1.0, which was released about a year ago.  Since that time I have not
> seen
> > any reports on the OpenVPN lists or other security-related forums claiming
> any
> > security issues.
> >
> > While it's impossible to assure with certainty that no weaknesses exist,
> > OpenVPN has multiple levels of security to protect against a single flaw
> > causing a catastrophic security breach.  For example, by using '--user
> nobody
> > --group nobody' you can ensure that even if some kind of remote buffer
> > overflow exploit were discovered, the exploit would be unable to elevate
> its
> > privilege to root.  Another example is using SSL/TLS security
> with --tls-auth.
> >  Using --tls-auth ensures that even if a remote buffer overflow is
> discovered
> > and exploited in the SSL/TLS authentication code in the OpenSSL library,
> it
> > could not be used to attack an OpenVPN session that is protected with a
> > --tls-auth password.  In addition, if you use SSL/TLS authentication, you
> have
> > the benefit of "perfect forward security".
> >
> > > Would I be better off using the strong IPSec support built into OpenBSD
> to
> > > propose an IPSec solution rather than using OpenVPN?
> >
> > Most people who use OpenVPN do so because it tends to be easier to use
> than
> > IPSec, is fairly robust at this point, has good cross-platform support,
> and
> > works well with NAT and DHCP.
> >
> > OpenVPN takes a different design approach than IPSec.  While both use
> modern
> > security concepts that protect against passive and active attacks (MAC
> > authentication, protection against replay and man-in-the-middle attacks,
> > public key infrastructure, perfect forward security, etc.), OpenVPN takes
> more
> > of an 'ssh' approach to implementation, while IPSec is usually implemented
> as
> > a kernel module.  Because OpenVPN runs as a daemon in user-space (like
> ssh) it
> > has proven to be quite portable, and currently runs on 6 OSes.
> >
> > I have not used IPSec on OpenBSD so I can't really comment or make a
> comparison.
> >
> > > Any advice would be greatly appreciated. I am not sure if I am biting
> off
> > > more than I can chew here :)
> >
> > I would suggest you read the HOWTO.  If you are able to read it through
> > without feeling the onset of mild panic, confusion, or disorientation,
> then
> > you are probably up to the task.  Also, check out the examples in the man
> > page.  Most people find them to be a good introduction to using OpenVPN in
> a
> > simple form.
> >
> > James
> >
>
> Thanks James.
>
> I had one other question which is probably really obvious or stupid. Is it
> possible to setup a VPN between 2 networks which have the same network
> address? ie a lot of small office networks use 192.168.0.0/24 If both
> offices use the same network address how can this work? (duplicate IP
> addresses etc?)
>
> Thanks,
> Craig
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users