Hi Luke, Luke wrote:
On Sat, 27 Mar 2010, David Godfrey wrote:We Looked at openvpn and other VPN options, but there are limitations,We?
We as in we here at SBTS and some of our customers.
including the setup requirements, and issues with dynamic IP'sWhich issues are those? Given that I do it on a daily basis, I am curious.
I have not had a large amount of experience with VPN, but on the few occasions it has bee required dynamic IP's seemed to be problematic to work around. One of the customers would not allow DDNS to be used, and before you ask I don't know their reasons it was one of the rules at that site.
It currently does require that the server have a world accessible ssh server, but then OpenVPN also needs world accessible ports too.There are solutions such as port knocking to deal with that, if it is a concern.However, with OpenVPN, assuming you don't run it in server-client mode, the ports don't actually have to be open.That is why it can work through firewalls.
Obviously I am missing something here, how does it create a point to point connection without open ports, and without using a 3rd party server?
Of course, it does require extra setup, but there are windows versions, and scripts can be distributed.I'm not saying that ssh does not have a valid place in this--it is easier to do port forwarding, for example--but I'm not sold on your reasons for avoiding OpenVPN yet.
The one reason for ssh is no setup at the client end, which for occasional connections, or connection from varying locations is much simpler. Especially in the case of going to a prospective clients location and running a demo using your sample server located back at your office. It is also nice for a user to be given access to do some extra work from home, without the need to setup VPN on their machine. Not sure with VPN but certainly with ssh it is easy to limit the port forward to only allow connection to the lsmb server and nothing else.
I guess what it boils down to is KISS, ssh is the simplest tool that allows a secure connection for the task, thus requiring minimal configuration and security auditing. while openVPN allows a much broader range of behavior, with attendant increase in configuration complexity resulting in a larger task for security audits etc.
My solution is likely not the best one for a large corp that needs multiple users and multiple services connected all of the time. For these users OpenVPN will definately meet their needs better. While I believe that my solution is more appropriate for transient connections or for small business where a remote connection is only needed for access to lsmb.
I apologize for the length and rambling nature of the email, and also if I have not been clear enough in expressing my thoughts.
Regards David G
Luke