[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: recommended distro

  • Subject: [Openvpn-users] Re: recommended distro
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Mon, 10 Jan 2005 18:21:15 -0600

On Mon, 10 Jan 2005 22:18:39 +0100, Sebastian Pein wrote:

> as long as you want to have it running on linux, i definitely encourage
> you to take debian. if security is the main concern of your doing, there
> will be no alternative to openbsd.

I tried to stay out, but... well, here's my say.

Debian's a great distro (apt is a great tool, the packages are
generally well-done and conform to policy far better than Red Hat's used
to when I followed such things closely), but it's either ancient
(following stable), or prone to occasionally breaking things without
warning (following testing or unstable).

Gentoo has a number of security-centric options available, including
SELinux and several toolchain hardening attempts; see
http://www.gentoo.org/proj/en/hardened/ more information. OTOH,
maintaining it can be a PITA -- etc-update and friends are [IMHO] far
overdue for rework by someone with an appreciation for diff3-style
merging. I'd argue that with its optional security features in use, Gentoo
is an excellent alternative to OpenBSD.

Red Hat is experimenting with some of these (SELinux, anyhow) in Fedora.
Eventually such efforts will be reflected in RHEL.

SLES (SuSE's enterprise distribution) is stable, well-architected and
supported, has a wide variety of packages available, and is cheaper than
RHEL. OTOH, "cheaper than RHEL" still isn't cheap, and without paying up
one doesn't get security updates and similar goodness (an objection which
likewise applies to RHEL, but not to its not-commercially-supported
3rd-party clones).

As for OpenBSD, its development has a long stated history of focusing on
security -- but there's an argument to be made that many of their claims
about security are defensible only because of the restrictive manner in
which they define an exploit, and their hardware support isn't
exactly stellar.

My own employer's Linux decision wrt the primary distribution we use was
made based not on features, but rather based on vendor support for
enterprise software, pricing model, and political factors. We could use a
different distribution on our VPN host -- but why? OpenVPN works well with
any reasonable OS and distribution, including every single one mentioned
in this post, so it makes more sense to pick what's appropriate for the
rest of the company and apply that to our VPN system as well.

What I'm trying to get across is that there is no single right answer to
this question, and certainly no pithy one. Trying to provide a solution in
this forum and calling it The One True And Correct Answer, seems simply

The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Openvpn-users mailing list