[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Remote login
- Subject: Re: Remote login
- From: David Godfrey <..hidden..>
- Date: Sat, 27 Mar 2010 16:24:01 +0800
On Sat, 27 Mar 2010, David Godfrey wrote:
We Looked at openvpn and other VPN options, but there are limitations,
We as in we here at SBTS and some of our customers.
including the setup requirements, and issues with dynamic IP's
Which issues are those? Given that I do it on a daily basis, I am
I have not had a large amount of experience with VPN, but on the few
occasions it has bee required dynamic IP's seemed to be problematic to
work around. One of the customers would not allow DDNS to be used, and
before you ask I don't know their reasons it was one of the rules at
It currently does require that the server have a world accessible ssh
server, but then OpenVPN also needs world accessible ports too.
There are solutions such as port knocking to deal with that, if it is a
However, with OpenVPN, assuming you don't run it in server-client mode,
the ports don't actually have to be open.
That is why it can work through firewalls.
Obviously I am missing something here, how does it create a point to
point connection without open ports, and without using a 3rd party server?
Of course, it does require extra setup, but there are windows versions,
and scripts can be distributed.
I'm not saying that ssh does not have a valid place in this--it is easier
to do port forwarding, for example--but I'm not sold on your reasons for
avoiding OpenVPN yet.
The one reason for ssh is no setup at the client end, which for
occasional connections, or connection from varying locations is much
Especially in the case of going to a prospective clients location and
running a demo using your sample server located back at your office.
It is also nice for a user to be given access to do some extra work from
home, without the need to setup VPN on their machine.
Not sure with VPN but certainly with ssh it is easy to limit the port
forward to only allow connection to the lsmb server and nothing else.
I guess what it boils down to is KISS, ssh is the simplest tool that
allows a secure connection for the task, thus requiring minimal
configuration and security auditing. while openVPN allows a much broader
range of behavior, with attendant increase in configuration complexity
resulting in a larger task for security audits etc.
My solution is likely not the best one for a large corp that needs
multiple users and multiple services connected all of the time. For
these users OpenVPN will definately meet their needs better.
While I believe that my solution is more appropriate for transient
connections or for small business where a remote connection is only
needed for access to lsmb.
I apologize for the length and rambling nature of the email, and also if
I have not been clear enough in expressing my thoughts.