Thread: n900, email and openvpn - sweet
View Single Post
fatalsaint is offline fatalsaint
2009-12-16 , 21:43
Posts: 3,428 | Thanked: 2,856 times | Joined on Jul 2008
#10
Originally Posted by techdork View Post
If you are *truly* paranoid, how do you see OpenVPN (x509 PKI) being a secure means for creating a tunnel?

SSH (RSA) on a non-standard port with a firewall ACL makes more sense.

Ok Wait... what? (slight thread hi-jack).

RSA is a public-key cryptography... x.509 is a public-key infrastructure. They are completely different.

x.509 includes RSA encryption (or can, it can also include others) when generating the certificates. The certificates are controlled via Certificate Authorities (CA's).

Both OpenVPN and SSH use SSL.

Now, x.509 (thus OpenVPN) is usually harder to implement than OpenSSH key-pairs but could you provide me documentation that actually says the using OpenVPN with keys is less secure than using SSH with keys?

I would find that result highly suspect. Typically the two things are used for different purposes - SSH is used for single machines to connect to remote machines and control them. It has the ability to forward certain ports, or create SOCKS tunnels which are the most common. And yes, since OpenSSH 4.3 it also has the ability to create "on-the-fly" VPN tunnels using tun - exactly like a: VPN, however more uncommon.

VPN's are mostly used to connect single, or many machines to not only the remote computer, but the entire network behind that computer as well - and very commonly: to route all local traffic through the tunnel. IF you want to be able to access your personal desktop computers files from a "road warrior" laptop/phone/whatever and you have a firewall sitting on your perimeter blocking all access to your internal LAN.. VPN is the way to do it (IMHO).

I don't see how forwarding a port directly to my internal desktop is any more secure than establishing a tunnel to my firewall, and from my firewall accessing my internal desktop.

At a cryptographic level.. they are using identical algorithms.

In the OP he mentions using SSH, over OpenVPN. So an encrypted tunnel, over an encrypted tunnel. In theory this definitely provides better security. Even if, hypothetically, the VPN tunnel is compromised the SSH is not. However, in reality - this is likely truly unnecessary. The chances of someone cracking just the SSH session OR the VPN session are slim to nil.

Granted, the software implementing SSH or a VPN can and will be susceptible to exploits.
Last edited by fatalsaint; 2009-12-16 at 21:46.
 

The Following 4 Users Say Thank You to fatalsaint For This Useful Post: