ssh, openswan, openvpn or ...?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

We have an iptables firewalling router setup here that is working well,
as we've stress-tested it from external sites using all the attack tools
we can find.

We have several users that are "on the road" and require connectivity
from various sites such as motels, coffeehouses, airports and dialup to
various ISPs. We'd like to have a secure tunneling connection for these
users, and we'd like to ask what might be a viable solution that works
for all these various connection points?

By viable I mean that even username and password wouldn't be sniffable
during connection initiation.

Re: ssh, openswan, openvpn or ...?

["Followup-To:" header set to]
Quoted text here. Click to load it

All three, SSH (v2), IPsec (Openswan is good choice indeed, ipsec-tools
is pretty crappy in configuration) and OpenVPN are viable according to
your definition.

SSH would be least problematic, it's just a single TCP port to be
enabled (and the port could be stolen from HTTPs, which is pretty
commonly passed through firewalls) and would work ideally for me, Linux
admin. But would it be as simple for your users?

IPsec in Openswan implementation is simple to configure once you manage
to understand IPsec itself (and that could be difficult). You need to
consider the other side of connection, though, and if it's Windows, you
may need to do some more set up. But as it is a VPN, your users will see
resources as if they are connected directly to your network. And one
more thing, IPsec requires some non-standard setup for NATs. If you
don't know IPsec yet, don't use it now and save yourself a headache.

OpenVPN is a bit more troublesome in preparing configuration file than
Openswan (not too much, though, if you know IP networks well), but it
needs just a single port (UDP or TCP, you choose) and still gives you
a VPN.

If your users are experienced un*x users, I'd stay with SSH. If they're
just clerks and/or management, I'd go for OpenVPN.

Secunia non olet.
Stanislaw Klekot

Re: ssh, openswan, openvpn or ...?

On 25.01.2010 20:52, Stachu 'Dozzie' K. wrote:
Quoted text here. Click to load it

I would recommend you OpenVPN, its features rich and simple to install
and configure.

You can use password or locally signed certificate authentification (you
can even use a certificate revoked list).

Using a single UDP or TCP port,it setup in minute.

The OpenVPN server can invoque a login an logout script at each
connection (e.g.: saddinggremoving iptables rules).

One its best features is to send route table to the client, and so
choose with network is 'joinable' throw the VPN.


Re: ssh, openswan, openvpn or ...?

On Mon, 25 Jan 2010 19:32:38 +0000, Greg Russell asked:

Quoted text here. Click to load it

The most secure would as far as I am aware be ssh over an openvpn with
TLS authentication session.

Have a look at the introduction and further documentation at


For even more security, you could consider the use of smart cards plus
user PIN as part of the authorization procedure.


One nice aspect of openvpn is that you can set up categories of users,
with different access privileges, if so desired.

  The server can enforce client-specific access rights based on embedded
certificate fields, such as the Common Name.

And should a laptop machine be lost on the road, even though the system
should be setup requiring a password as well as a certificate on the
laptop, the certificate on the laptop can be revoked at any time.

Re: ssh, openswan, openvpn or ...?

Greg Russell wrote:
Quoted text here. Click to load it

I would recommend ssh with public/private cryptography keys. It is the
easiest to configure correctly and is flexible enough for most scenarios. It
is also very network/router/firewall friendly.

Quoted text here. Click to load it

Don't use password authentication. The component between the screen and the
chair is too insecure and unreliable! ;)


Re: ssh, openswan, openvpn or ...?

On 25/01/2010 20:32, Greg Russell wrote:
Quoted text here. Click to load it

ipsec solutions are certainly secure (with correct configuration, of
course), but can be a real pain for routing, NAT traversal, and so on.
You are also, as far as I know, limited to a single ipsec tunnel
endpoint for each ip address, though there can be many connections to
the same tunnel end point at the time.  By that I mean that you can have
many clients connecting to the server, but they are all attached to the
same virtual network port on the server.  Similarly, each client can
only be connected to only one server at a time.  (Hopefully someone will
correct me if that's not true.)

ssh is for remote shell access.  You /can/ do port forwarding with it to
give access to other resources, but it is not great for the purpose - it
won't make the best use of the bandwidth, and it is far from convenient
to specify the forwarding connections if there are many of them.
However, it is extremely handy for doing ad-hoc connections and giving
yourself a "backdoor" into your system (put it on a non-standard port so
the bad guys don't keep knocking on it).  You can either pre-share the
cryptographic keys or use passwords, or both.

openvpn is, IMHO, an extremely useful way to handle remote connections.
  It can take a bit of learning to figure out how the configuration is
done, but when you've done it once you just copy and modify the
configuration file for others.  It's a no-brainer for the clients - on
windows you get an icon in your tray and you just select "connect" from
the menu as needed.  On Linux you can use the command line or a gui as
you fancy.  You can configure it on the server with all sorts of
options, and happily have multiple tunnels on different ports.  That way
you can have different groups connected to different virtual network
ports on the router, and use iptables and routing to connect them to
different parts of the network.  Security is solid, with cryptographic
keys and optional passwords, and support for various other
identification systems.

I use openvpn whenever we need secure external access to a server, along
with a ssh backdoor for maintenance purposes.

Re: ssh, openswan, openvpn or ...?

Quoted text here. Click to load it
Quoted text here. Click to load it
Quoted text here. Click to load it
Quoted text here. Click to load it

It really depends on whether the remote users are running linux/Unix
or may be using Microsoft - the latter can really restrict your

IPSEC is rather difficult to set up, particularly between non-fixed
points (and particularly where it may be crossing NAT boundaries).
OpenSwan has some extensions for supporting 'road warriors' though.

I haven't used openVPN but if support for Microsoft may be important
then its definitely worth thinking about.

Note that you **can** create a tunnelled connection using SSH (not
just port forwarding) by running ppp through the connection - I've
previously done this using stunnel rather than ssh and it proved very
reliable with only a very slight impact on bandwidth (we even used
VOIP across the VPN with no noticeable delay).

I've also previously used stunnel to provide on-demand port-forwarding
for MS clients - again very reliable and a no-brainer for the end-
users. There's a bit of overhead in setting up your own CA / or buying
in certs but if I can set up a CA and IKE infrastructure anyone can!


Re: ssh, openswan, openvpn or ...?


C. a écrit :
Quoted text here. Click to load it

OpenSSH also supports native IP tunnelling through the use of TUN
interfaces (not to be confused with the classic TCP port forwarding).
See the -w option or the Tunnel directive. However I have seen warnings
about issues regarding tunnelling of IP over TCP and packet loss (TCP is
stream-oriented, so a single lost packet blocks the reception of all
subsequent packets until it is successfully retransmitted). This applies
to PPP over SSH too.

Re: ssh, openswan, openvpn or ...?

C. wrote:
Quoted text here. Click to load it

OpenVPN clients are extremely easy to work with in Windows (assuming you
install the gui - on older versions of OpenVPN, the windows gui was a
separate program, but these days it is in the main installation
package).  In fact, I haven't seen anything as convenient for activating
OpenVPN tunnels in Linux - not that I have looked very hard, since I am
happy using the command line for that sort of thing, and my colleagues
who want a point-and-click gui use windows.

Quoted text here. Click to load it

You certainly /can/ do that sort of thing with ssh - it's a swiss army
knife tool.  But OpenVPN is dedicated to the task, and it's easier.

Quoted text here. Click to load it

I've not used stunnel - it looks like it could do the job, but OpenVPN
is (to my knowledge) a more complete package.

See also <

Re: ssh, openswan, openvpn or ...?

Quoted text here. Click to load it

After all the recommendations, we've chosen openvpn, and it was indeed very
eay to install, configure and administer, using the web-based admin GUI on
the Linux server. It correctly configured the iptables firewall too, which
was a concern.

To test, we used a Windows 2000 machine on dialup, connect to the client
interface on the Linux web host, downloaded the M$ installer and the
user-specific client profile. Everything was indeed very easy.

The trouble is that it doesn't work for some strange reason. The Windows
client connects, authentication completes, but the Windows client then
disconnects after about 5-15 seconds for no discernible reason.

The openvpn server shows that the client is still connected with an assigned
IP address though, but a "route print" on the Windows machine has no route
for the vpn packets, and "ipconfig /all" shows the virtual TUN interface
with no assigned IP address and no gateway address, and the task tray icon
shows the TUN interface as "cable unplugged".

We've copied the log entries from the openvpn linux server to the "live
chat" tech support at openvpn, and they can see nothing wrong with the
connection, nor can they offer any possible reason for the failure of the M$
client to be properly configured with the necessary vpn DHCP information.

For the moment at least, we're defeated.

Re: ssh, openswan, openvpn or ...?

Greg Russell wrote:
Quoted text here. Click to load it

Did you check the Linux logs?

If I were you, I'd next install a network sniffer on the
Linux machine and catch two traffic streams at the time
of the unsiccessful connection:

- The dial-up connection (PPP?), called tunnel outside,
- The VPN connection, called tunnel inside.

For sniffers, my favourite is Wireshark, but the raw capture
can be done with tcpdump. If it is not possible to run
X on the server, I'd capture the traffic with tcpdump's
write to file option and decode the captures on a workstation
with Wireshark.


Tauno Voipio
tauno voipio (at) iki fi

Re: ssh, openswan, openvpn or ...?

Quoted text here. Click to load it
Quoted text here. Click to load it

Interesting thread.

Tethereal, which comes with ethereal (X app), is a great console
packet sniffer. I run it in its own window all the time.


Re: ssh, openswan, openvpn or ...?

Sidney Lambe wrote:
Quoted text here. Click to load it

Forget Ethereal and friends, it is Wireshark and tshark now.


Tauno Voipio

Re: ssh, openswan, openvpn or ...?

Quoted text here. Click to load it

Unless you explain why this is supposedly the case, your words
will be ignored by me and everyone else with a functioning mind.

As they would be if your explanation was inadequate.

I use tethereal and it works wonderfully.

Quoted text here. Click to load it

Rather the big ego he has, eh?


Re: ssh, openswan, openvpn or ...?

Quoted text here. Click to load it

You're joking, right?  The name of the program changed from
Ethereal to Wireshark years ago.  Any remotely recent version
will be called wireshark (or tshark).

Quoted text here. Click to load it

Yet you paid them attention, thus belying your own statement.

Quoted text here. Click to load it

Bully for you, but running out-of-date software puts you at
risk of attack. Tshark is what the program has been called for
something like 4 years now.  You might want to update your
software every year or three, Sid -- especially stuff that uses
root privledges like "ethereal".


Re: ssh, openswan, openvpn or ...?

Quoted text here. Click to load it
Quoted text here. Click to load it

Actually, that's wrong. There's nothing any packet sniffer or
firewall can do to prevent attacks. The firewall can fend them
off, that's all. The sniffer can't do anything but watch.



Re: ssh, openswan, openvpn or ...?

Oh, dear. Getting in a thread where Sidney pops up is always....
troublesome. He's often quite wrong, but not necessarily for the
obvious reasons that it's so easy to yell at him about. So it can be
worth posting a followup thread to correct his confusions, explaining
rather than yelling.

In this case, a fast lookup shows that "ethereal" was renamed
"wireshark" roughly four years ago. Sidney's use of the old tool
indicates that he's missed out on years of patches and updates. Such
patches can be performance, legality, or security related. And for an
application as powerful and subtle as wireshark, it's not "some geeks
have twiddled with an app", that's roughly 4 years of development
being ignored. The ChangeLog for the for the 1.0.8 version for RHEL 5
shows continuing developments for things like SSL and MPEG handling,
and even before then, there's all *kinds* of fascinating network
behavior that's gotten more common that wireshark may have gotten
better with. (RST packets, for example, which have become ubiquitous
at Comcast for throttling Bittorrent.)

The security risks of running out of date software with security
privileges such as wireshark needs to monitor packets are....
interesting. Old security flaws might be an issue, especially if
Sidney is leaving the rest of his software that far out of date or if
there were any fascinating flaws in their compilation. More
importantly, old monitor software is liable to *miss* things that more
recent software will detect.

So, yes, poo-pooing the far more recent releases on the grounds that
the old one "works fine" is foolish.

Re: ssh, openswan, openvpn or ...?

Quoted text here. Click to load it

Did it give your little weenie a hardon to say that, you stupid


And I'll bet it's not the first time.


Re: ssh, openswan, openvpn or ...?

Quoted text here. Click to load it

Just for the sake of curiosity, how many times does somebody
need to be "killfiled" by you before you stop replying to their

Grant Edwards                   grante             Yow! My nose feels like a
                                  at               bad Ronald Reagan movie ...

Re: ssh, openswan, openvpn or ...?

Quoted text here. Click to load it

So Grant Edwards shows up and tacks one line on my post for
a reply.

Only stinking trolls do that.

I will let him eat his own shit.

Yes, Granty Poo, there are people who disagree with you
and whom you can't bully,

Life's a bitch.


Site Timeline