Re: n900, email and openvpn - sweet
 

A reason for choosing OpenVPN over allowing direct SSH connection is typically that the site has all the computers on an internal network, behind a firewall. These computers are without an externally accessible IP address. Thus, no direct SSH possible. Then you set up a single OpenVPN server behind the firewall, and you set up the firewall to forward the OpenVPN ports to it.

Now you use OpenVPN to get access to the network, and after that you use SSH to access the computers on the network. Thus, you have ssh inside VPN, not so much for added security but because that's the login method of choice for most people anyway - and you also have encryption when moving around on the internal network.

Re: n900, email and openvpn - sweet
 

While that's true TA-t3, if you want access to only 1 or 2 machines or something behind the firewall thats what port forwarding is for. You port forward whatever port your SSH is one from the external IP to the internal IP of the machine and direct SSH then does become possible.

However, if you want access to more than one machine behind that firewall than forwarding a dozen different ports to a dozen different computers becomes nonsense. This is why I said VPN's are usually used to access multiple computers behind the remote machine (the internal network).

Really my confusion is though why techdork seems to be implying that using OpenVPN is not a secure method of creating a tunnel... but ssh is?

Re: n900, email and openvpn - sweet
 

Port forwarding from a single machine is something that may be done for the home. For work you would normally always use VPN, and any directly accessible SSH computers would be put on a demilitarized zone, outside the proper firewall.

For my own setup I would use VPN also for a home network, it's easy enough to configure and it's also much more convenient - the VPN will give you access to lots more than just remote login. When using only SSH you would have to set up tunneling for everything that's not login.

As for security - I can only agree, why should SSH be more secure than OpenVPN? I'm not aware of any well-known security problem with OpenVPN (unlike the MS implementation of PPTP, for example).

Re: n900, email and openvpn - sweet
 

Ok this might sound silly, but how do you launch the openvpn-applet??

I just can not find it, but it is installed when I check with dpkg [along with openvpn]

Thanks

Re: n900, email and openvpn - sweet
 

Ahhh it is in the Status menu. It took a long time, even a few reboots for it to appear there.

Weird.

Re: n900, email and openvpn - sweet
 

Are you sure that just didn't look?

Re: n900, email and openvpn - sweet
 

Not really, using a non-standard port means script kiddies find it more difficult to find ssh. having ssh open to the web makes me shudder thinking about it.
using firewall acls is not really practical as i want easy access and using an n900 means my ip changes.
port knocking is a possibility, but i want other traffic other than ssh.
smtp, imap, ldap etc.

there is a reason openvpn and ipsec were created....
cant see why you are confused.

Re: n900, email and openvpn - sweet
 

if people are happy with openvpn and gui can we vote it up pls

Re: n900, email and openvpn - sweet
 

Not bothered with the GUI personally but I've voted for openvpn. My only problem currently is figuring out automatic startup after a reboot. I've no experience with upstart so haven't quite worked out what the best options for an event.d file are. Also need to figure where to file a bug against openvpn for this (was waiting til I got the upstart file working first).

Re: n900, email and openvpn - sweet
 

https://bugs.maemo.org/enter_bug.cgi?product=openvpn

If you come up with a working upstart version of the current initscript, you might want to file a bug also upstream (i.e., Debian) and attach your script. Not even Ubuntu ships OpenVPN with an upstart script, even though they use it already.