If you really need those ports open to the world then no, no gain there. I thought open SMTP was an internet no-no?
No use if I want to connect from, say, someone else's machine, or from an Internet Café.
Yes that's what it's for. You don't need to restrict on IP address. You do need your private key which for OpenVPN is in a tiny text file.
If my home desktop *wasn't* a web server and an ssh server then the above might be of use but as it is I don't see a lot of point.
Indeed it's very similar to ssh, just more flexible. You can setup ssh to tunnel all ports you need but with VPN you don't have to bother.
You still haven't told me what I can actually *do* from a remote machine connected to my VPN server. Having access to my home machine as if it was on a LAN with the remote machine doesn't really strike me as particularly useful, it's not as if I have a typical business environment with everyone sharing files on a server or anything like that.
If you don't need to access your remote machine then no you don't need a VPN. I use it rather than ssh because there's no need to tunnel ports, so e.g. my phone can easily see my samba shares, mediaserver, VNC desktops, access my smtp server... It can be done with ssh tunnelling but it's a bit more fiddly.
Neil
On 20/03/2014 18:43, Chris Green wrote:
On Thu, Mar 20, 2014 at 05:38:18PM +0000, Neil Sedger wrote:
Opening/forwarding ports is risky as anyone can discover them and run exploits against whatever is listening. Someone really clever/determined could snoop on any unencrypted traffic you might send.
Yes, but I have a number of ports open anyway (HTTP, SMTP, SSH) so I need to manage security on these anyway. Using a VPN won't remove the need for the other open ports so no gain there really.
With OpenVPN you open only one port which allows in only encrypted connections from trusted machines. Those machines can then freely do anything as if they were on your local LAN, no need to open/forward any more ports.
No use if I want to connect from, say, someone else's machine, or from an Internet Café. If my home desktop *wasn't* a web server and an ssh server then the above might be of use but as it is I don't see a lot of point.
So it's a good idea. We have to very much trust OpenVPN to do its job properly but better to trust one app than several.
For extra security have OpenVPN listen on - or forward on the router from - a random port rather than the default. But I had to edit its user key file to do that :-S
You still haven't told me what I can actually *do* from a remote machine connected to my VPN server. Having access to my home machine as if it was on a LAN with the remote machine doesn't really strike me as particularly useful, it's not as if I have a typical business environment with everyone sharing files on a server or anything like that.