[ale] Poptop

Michael H. Warfield mhw at WittsEnd.com
Tue Mar 14 10:36:00 EST 2006


On Tue, 2006-03-14 at 09:29 -0500, Christopher Fowler wrote:
> On Tue, 2006-03-14 at 09:22, Michael H. Warfield wrote:
> 
> > 	You might get OpenVPN to work as well, but that will require third
> > party software on your XP clients.  XP should already have IPSec NAT-T
> > and merely needs to be configured on those XP clients.  Depending on
> > your needs (like large numbers of clients and high traffic) OpenVPN does
> > not scale as well as IPSec, either.
> > 

> I was hoping I could get pppd working on Cygwin then I could possibly
> look at writing a front end for vtun that could use the minimal cygwin
> environment to initiate a tunnel.

	Ok.  Some people have gotten pppd to compile and run under cygwin but
it doesn't look trivial from what I can tell.  And the vtun site states
explicitly that they have no Windows client.  Sounds like, even after
you get all this assembled, it's going to be far far from easy for "dumb
users" to set up on their XP boxes (one of the original conditions in
this thread, IIRC).  They'll have to install this "minimal" (for some
value of "minimal") cygwin environment plus pppd plus this ported vtun
and its front end.  All that's going to have to be configured and you're
still going to need X.509 certificates for the SSL authentication for
vtun (assuming you are using that, if you are not things get worse and
less secure, AFAICT - there were some remarks about simple password
encryption being incredibly insecure in vtun).

	Tell me again...  What is the advantage of doing all of this over using
OpenVPN (even given that my preference would be to use the built-in and
supported XP facilities of IPSec NAT-T)?

	I think the client side of OpenVPN is pretty close to your dumb user
easy when the server side is running "mode = server" (OpenVPN 2.x).  You
just give him the X.509 certificate and point him back at your OpenVPN
server and the server takes care of pretty much all the rest.  You might
even be able to "can" that configuration into the install and then it's
just load-n-go.  They've already done all the work and already have the
Windows agent.  If you are going to go down the road of adding third
party software to the Windows boxen, I would go OpenVPN.  Why do all
this development effort, when you've already got a package that will do
everything this other thing will and probably do it a whole lot easier?
I just don't see the advantage here at all, since you're not addressing
anything that isn't already addressed by OpenVPN.

	Of the three options, IPSec NAT-T, OpenVPN, or pppd/vtun, it seems to
me that the later involves far more work (implementation) than either of
the other two.  The choice between the first two would be more in the
realm of if you want something more generally interoperable and standard
(on XP) or if you prefer to add some third party package that may or may
not be easier to set up in the long run (OpenVPN is definitely easier in
the short run but it's a closer horse race in the long run once you have
them set up and are scaling up).

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list