DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 23rd December 2008
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Default SSH tunneling vs. OpenVPN

I've setup both on my firewall. I find SSH tunneling more convenient than openvpn. So the question is which one is much safer when you're at a public hotspot doing online banking through your home network?
Reply With Quote
  #2   (View Single Post)  
Old 24th December 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

It always depends on the circumstances.. obviously.

But look at it this way, OpenVPN is GPL and bloated.. OpenSSH is liberal and light.

Both support OSI level 2/3 tunnelling.. both utilize OpenSSL.

Pick the one you feel is right.
Reply With Quote
  #3   (View Single Post)  
Old 24th December 2008
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Default

OpenSSH is truly amazing due to its lightweight and ease of configuring.
Reply With Quote
  #4   (View Single Post)  
Old 28th December 2008
corey_james corey_james is offline
Uber Geek
 
Join Date: Apr 2008
Location: Brisbane, Australia
Posts: 238
Default

i'd use SSH over VPN any day!

I have no valid reasons, i just like ssh ^^
__________________
"No, that's wrong, Cartman. But don't worry, there are no stupid answers, just stupid people." -- Mr. Garrison

Forum Netiquette
Reply With Quote
  #5   (View Single Post)  
Old 16th April 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

<back after a long absence...>

the one potential disadvantage of SSH is that it is over TCP, not over UDP. As the transmission (e.g. 802.11) degrades the encryption correction/recovery compounds with TCP correction/recovery. Extra CPU cycles and some packets are spent/wasted.

This is only a problem on dirty/poor sessions.

In two years of operating this way, I've "suffered" it maybe two three times. openVPN or IPSEC would have suffered it better.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
  #6   (View Single Post)  
Old 16th May 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 170
Default

I too would have to go with OpenSSH tunneling, in fact I dropped OpenVPN tunneling in favour of implicit SSH tunnels instead about 4.3ish.

I do have a great howto with OpenBSD/OpenVPN/AuthPF if you really care to try (it's a bit dated), just tried uploading and could not, i can send them to you if you like, let me know.
Reply With Quote
  #7   (View Single Post)  
Old 16th May 2009
windependence's Avatar
windependence windependence is offline
Real Name: Tim
Shell Scout
 
Join Date: May 2008
Location: Phoenix, Arizona
Posts: 116
Default

Quote:
Originally Posted by s2scott View Post
<back after a long absence...>

the one potential disadvantage of SSH is that it is over TCP, not over UDP. As the transmission (e.g. 802.11) degrades the encryption correction/recovery compounds with TCP correction/recovery. Extra CPU cycles and some packets are spent/wasted.

This is only a problem on dirty/poor sessions.

In two years of operating this way, I've "suffered" it maybe two three times. openVPN or IPSEC would have suffered it better.

/S
I dunno. I just set up OpenVPN for a local lumber company's sales force and we had to go to TCP because UDP wasn't stable enough. In this case I don't know how I would have implemented an ssh tunnel for them to access their desktop's without making it difficult for them. What would you guys have done in a situation like that?

-Tim
__________________
www.windependence.org
Get your Windependence today!
Reply With Quote
  #8   (View Single Post)  
Old 18th May 2009
pik pik is offline
Port Guard
 
Join Date: May 2009
Posts: 12
Default

Quote:
Originally Posted by There0 View Post
I do have a great howto with OpenBSD/OpenVPN/AuthPF if you really care to try (it's a bit dated), just tried uploading and could not, i can send them to you if you like, let me know.
Not sure about others, but I'm really keen to get a look at this guide if it's not too much trouble!

Cheers!
Reply With Quote
  #9   (View Single Post)  
Old 31st May 2009
Loki Loki is offline
Port Guard
 
Join Date: Nov 2008
Location: Sydney
Posts: 11
Exclamation Maybe there is trouble in store?

Quote:
Originally Posted by windependence View Post
I dunno. I just set up OpenVPN for a local lumber company's sales force and we had to go to TCP because UDP wasn't stable enough. In this case I don't know how I would have implemented an ssh tunnel for them to access their desktop's without making it difficult for them. What would you guys have done in a situation like that?

-Tim
http://sites.inka.de/~W1011/devel/tcp-tcp.html will give you an idea about why it isn't a good idea and will trigger some questions about why the TCP reliability didn't do the job as it is still TCP end-to-end in OpenVPN even when the tunnel is UDP.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
openvpn on openbsd problem.... michaelk OpenBSD Security 8 9th February 2011 04:49 AM
Cannot set up OpenVPN guitarscn OpenBSD Security 8 5th October 2009 05:19 PM
OpenVPN management bichumo General software and network 0 15th July 2008 09:05 AM
OpenVPN - Problem with connections MME General software and network 2 26th May 2008 06:42 PM
openvpn 2.1_rc7 from ports (not packages) s2scott OpenBSD Packages and Ports 14 23rd May 2008 02:30 AM


All times are GMT. The time now is 07:18 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick