|
n900, email and openvpn - sweet
I setup my email account (imap/smtp) with tls and found it to be quite laggy, which I found irritating (but usable, just had to be patient).
I need to be able to ssh to my server, and being paranoid I can only do that through a vpn tunnel (openvpn). I installed it from extras-devel and found it to be painless, just copied my config from my laptop across installed it into /etc/openvpn and to my surprise it worked first time, and I haven't had any battery drain or stability problems (any way I can help push this into extras?) But then I thought as seen as it was so easy to setup, no stability issues and no noticeable drain on the battery, I'd keep it on and change my email to use the local address and not use tls for encryption. Email application is now virtually instant response, so I'd recommend anyone to try this method if they can. I'm not sure whether it's the tls in modest being crappy, or whether using openvpn with compression is making the difference - and pumping my username/password on the internet in plain text to see which one it is, isn't my idea of fun. |
Re: n900, email and openvpn - sweet
I also tried the same with my work email. We don't have activesync connections open to Internet, but with openvpn and MailForExchange it's possible to do the trick. I'm under impression that the GUI for openvpn isn't usable yet, so next thing would be doing something like this to make opening connection faster (sry forum is Finnish, but you'll get the point).
|
Re: n900, email and openvpn - sweet
Quote:
Copy configs to SD card on N900, then open terminal "sudo gainroot" then "cp /media/mmc1/openvpn/* /etc/openvpn/" Then you can select the config file from the gui, and it works fine. Agreed not ideal, but works well. |
Re: n900, email and openvpn - sweet
Quote:
SSH (RSA) on a non-standard port with a firewall ACL makes more sense. :confused: |
Re: n900, email and openvpn - sweet
Anyone care to share a working openvpn config client and server for this? Last I tried I couldn't get any routing through and since ther is no nat support I wasn't able to mess with that as a workaround as well.
Much appreciated. p.s. It's been ages since I messed with openvpn and I hardly have a need for it so I'd rather avoid relearning everything if I can. |
Re: n900, email and openvpn - sweet
Quote:
|
Re: n900, email and openvpn - sweet
I can't make this app work(openVPN). I've installed it thorugh the application manager, and now what?
|
Re: n900, email and openvpn - sweet
Quote:
|
Re: n900, email and openvpn - sweet
Quote:
|
Re: n900, email and openvpn - sweet
Quote:
RSA is a public-key cryptography... x.509 is a public-key infrastructure. They are completely different. x.509 includes RSA encryption (or can, it can also include others) when generating the certificates. The certificates are controlled via Certificate Authorities (CA's). Both OpenVPN and SSH use SSL. Now, x.509 (thus OpenVPN) is usually harder to implement than OpenSSH key-pairs but could you provide me documentation that actually says the using OpenVPN with keys is less secure than using SSH with keys? I would find that result highly suspect. Typically the two things are used for different purposes - SSH is used for single machines to connect to remote machines and control them. It has the ability to forward certain ports, or create SOCKS tunnels which are the most common. And yes, since OpenSSH 4.3 it also has the ability to create "on-the-fly" VPN tunnels using tun - exactly like a: VPN, however more uncommon. VPN's are mostly used to connect single, or many machines to not only the remote computer, but the entire network behind that computer as well - and very commonly: to route all local traffic through the tunnel. IF you want to be able to access your personal desktop computers files from a "road warrior" laptop/phone/whatever and you have a firewall sitting on your perimeter blocking all access to your internal LAN.. VPN is the way to do it (IMHO). I don't see how forwarding a port directly to my internal desktop is any more secure than establishing a tunnel to my firewall, and from my firewall accessing my internal desktop. At a cryptographic level.. they are using identical algorithms. In the OP he mentions using SSH, over OpenVPN. So an encrypted tunnel, over an encrypted tunnel. In theory this definitely provides better security. Even if, hypothetically, the VPN tunnel is compromised the SSH is not. However, in reality - this is likely truly unnecessary. The chances of someone cracking just the SSH session OR the VPN session are slim to nil. Granted, the software implementing SSH or a VPN can and will be susceptible to exploits. |
Re: n900, email and openvpn - sweet
A reason for choosing OpenVPN over allowing direct SSH connection is typically that the site has all the computers on an internal network, behind a firewall. These computers are without an externally accessible IP address. Thus, no direct SSH possible. Then you set up a single OpenVPN server behind the firewall, and you set up the firewall to forward the OpenVPN ports to it.
Now you use OpenVPN to get access to the network, and after that you use SSH to access the computers on the network. Thus, you have ssh inside VPN, not so much for added security but because that's the login method of choice for most people anyway - and you also have encryption when moving around on the internal network. |
Re: n900, email and openvpn - sweet
While that's true TA-t3, if you want access to only 1 or 2 machines or something behind the firewall thats what port forwarding is for. You port forward whatever port your SSH is one from the external IP to the internal IP of the machine and direct SSH then does become possible.
However, if you want access to more than one machine behind that firewall than forwarding a dozen different ports to a dozen different computers becomes nonsense. This is why I said VPN's are usually used to access multiple computers behind the remote machine (the internal network). Really my confusion is though why techdork seems to be implying that using OpenVPN is not a secure method of creating a tunnel... but ssh is? |
Re: n900, email and openvpn - sweet
Port forwarding from a single machine is something that may be done for the home. For work you would normally always use VPN, and any directly accessible SSH computers would be put on a demilitarized zone, outside the proper firewall.
For my own setup I would use VPN also for a home network, it's easy enough to configure and it's also much more convenient - the VPN will give you access to lots more than just remote login. When using only SSH you would have to set up tunneling for everything that's not login. As for security - I can only agree, why should SSH be more secure than OpenVPN? I'm not aware of any well-known security problem with OpenVPN (unlike the MS implementation of PPTP, for example). |
Re: n900, email and openvpn - sweet
Ok this might sound silly, but how do you launch the openvpn-applet??
I just can not find it, but it is installed when I check with dpkg [along with openvpn] Thanks |
Re: n900, email and openvpn - sweet
Ahhh it is in the Status menu. It took a long time, even a few reboots for it to appear there.
Weird. |
Re: n900, email and openvpn - sweet
Quote:
|
Re: n900, email and openvpn - sweet
Quote:
using firewall acls is not really practical as i want easy access and using an n900 means my ip changes. port knocking is a possibility, but i want other traffic other than ssh. smtp, imap, ldap etc. there is a reason openvpn and ipsec were created.... cant see why you are confused. |
Re: n900, email and openvpn - sweet
if people are happy with openvpn and gui can we vote it up pls
|
Re: n900, email and openvpn - sweet
Quote:
|
Re: n900, email and openvpn - sweet
Quote:
If you come up with a working upstart version of the current initscript, you might want to file a bug also upstream (i.e., Debian) and attach your script. Not even Ubuntu ships OpenVPN with an upstart script, even though they use it already. |
Re: n900, email and openvpn - sweet
Quote:
Quote:
|
Re: n900, email and openvpn - sweet
i would prefer an option in the applet to auto start openvpn if there is an active network connection, and disable if connection goes.
reason is if i am abroad where roaming applies and therefore i dont have network connectivity always, having openvpn bouncing all the time will drain battery uneccesarily wont it? im sure that can be done cant it? |
Re: n900, email and openvpn - sweet
Quote:
On the other hand IF openvpn is configured to use if-up.d/if-down.d then it should be stopped then restarted when a network connection goes up or down; which perhaps should be the default with or without the applet. |
Re: n900, email and openvpn - sweet
Quote:
100% certain. It's the first place I looked/expected it to be. |
Re: n900, email and openvpn - sweet
Quote:
|
Re: n900, email and openvpn - sweet
Quote:
The reason I was a bit concerned was I selected to install the GUI only knowing apt would bring openvpn as a dependency. But when it didn't show I was worried dependency wasn't working on Maemo's apt. But it is :) |
Re: n900, email and openvpn - sweet
I too had huge problems getting OpenVPN to appear in my status bar. Installed and uninstalled several times (and many reboots in between) but nothing. I just managed to get it to appear after a reinstall on top of the original and a reboot.
|
Re: n900, email and openvpn - sweet
I have set up OpenVPN as well (just got my n900 last night).
Not sure what the applet does, didnt try installing it. But it works fine the normal way (terminal). As for the openvpn vs ssh security thing, I think the OPPOSITE of what techdork said is true. SSH (unless you use encrypted pre-shared keys) is LESS secure than OpenVPN, which uses certificates by default. Password SSH is susceptible to snooping (at least during the handshake), and man-in-the-middle attacks (at least the first attempt at connecting is). Anyone disagree? |
| All times are GMT. The time now is 04:17. |
vBulletin® Version 3.8.8