I keep thinking that a VPN might be what I need, but then when I look at VPN documentation etc. I wonder whether it is what I need.
So, if I set up an OpenVPN server on my home desktop machine (which stays turned on all the time) and set up access for me as a client from my laptop, what does it mean that I could do that I can't do already? Or, maybe more to the point, what does it make it easier to do?
(Note that my home desktop is visible at a fixed IP address from the outside world and I can open up any additional ports through the firewall if necessary.)
Opening/forwarding ports is risky as anyone can discover them and run exploits against whatever is listening. Someone really clever/determined could snoop on any unencrypted traffic you might send.
With OpenVPN you open only one port which allows in only encrypted connections from trusted machines. Those machines can then freely do anything as if they were on your local LAN, no need to open/forward any more ports.
So it's a good idea. We have to very much trust OpenVPN to do its job properly but better to trust one app than several.
For extra security have OpenVPN listen on - or forward on the router from - a random port rather than the default. But I had to edit its user key file to do that :-S
Neil
On 20/03/2014 17:20, Chris Green wrote:
I keep thinking that a VPN might be what I need, but then when I look at VPN documentation etc. I wonder whether it is what I need.
So, if I set up an OpenVPN server on my home desktop machine (which stays turned on all the time) and set up access for me as a client from my laptop, what does it mean that I could do that I can't do already? Or, maybe more to the point, what does it make it easier to do?
(Note that my home desktop is visible at a fixed IP address from the outside world and I can open up any additional ports through the firewall if necessary.)
On Thu, Mar 20, 2014 at 05:38:18PM +0000, Neil Sedger wrote:
Opening/forwarding ports is risky as anyone can discover them and run exploits against whatever is listening. Someone really clever/determined could snoop on any unencrypted traffic you might send.
Yes, but I have a number of ports open anyway (HTTP, SMTP, SSH) so I need to manage security on these anyway. Using a VPN won't remove the need for the other open ports so no gain there really.
With OpenVPN you open only one port which allows in only encrypted connections from trusted machines. Those machines can then freely do anything as if they were on your local LAN, no need to open/forward any more ports.
No use if I want to connect from, say, someone else's machine, or from an Internet Café. If my home desktop *wasn't* a web server and an ssh server then the above might be of use but as it is I don't see a lot of point.
So it's a good idea. We have to very much trust OpenVPN to do its job properly but better to trust one app than several.
For extra security have OpenVPN listen on - or forward on the router from - a random port rather than the default. But I had to edit its user key file to do that :-S
You still haven't told me what I can actually *do* from a remote machine connected to my VPN server. Having access to my home machine as if it was on a LAN with the remote machine doesn't really strike me as particularly useful, it's not as if I have a typical business environment with everyone sharing files on a server or anything like that.
If you really need those ports open to the world then no, no gain there. I thought open SMTP was an internet no-no?
No use if I want to connect from, say, someone else's machine, or from an Internet Café.
Yes that's what it's for. You don't need to restrict on IP address. You do need your private key which for OpenVPN is in a tiny text file.
If my home desktop *wasn't* a web server and an ssh server then the above might be of use but as it is I don't see a lot of point.
Indeed it's very similar to ssh, just more flexible. You can setup ssh to tunnel all ports you need but with VPN you don't have to bother.
You still haven't told me what I can actually *do* from a remote machine connected to my VPN server. Having access to my home machine as if it was on a LAN with the remote machine doesn't really strike me as particularly useful, it's not as if I have a typical business environment with everyone sharing files on a server or anything like that.
If you don't need to access your remote machine then no you don't need a VPN. I use it rather than ssh because there's no need to tunnel ports, so e.g. my phone can easily see my samba shares, mediaserver, VNC desktops, access my smtp server... It can be done with ssh tunnelling but it's a bit more fiddly.
Neil
On 20/03/2014 18:43, Chris Green wrote:
On Thu, Mar 20, 2014 at 05:38:18PM +0000, Neil Sedger wrote:
Opening/forwarding ports is risky as anyone can discover them and run exploits against whatever is listening. Someone really clever/determined could snoop on any unencrypted traffic you might send.
Yes, but I have a number of ports open anyway (HTTP, SMTP, SSH) so I need to manage security on these anyway. Using a VPN won't remove the need for the other open ports so no gain there really.
With OpenVPN you open only one port which allows in only encrypted connections from trusted machines. Those machines can then freely do anything as if they were on your local LAN, no need to open/forward any more ports.
No use if I want to connect from, say, someone else's machine, or from an Internet Café. If my home desktop *wasn't* a web server and an ssh server then the above might be of use but as it is I don't see a lot of point.
So it's a good idea. We have to very much trust OpenVPN to do its job properly but better to trust one app than several.
For extra security have OpenVPN listen on - or forward on the router from - a random port rather than the default. But I had to edit its user key file to do that :-S
You still haven't told me what I can actually *do* from a remote machine connected to my VPN server. Having access to my home machine as if it was on a LAN with the remote machine doesn't really strike me as particularly useful, it's not as if I have a typical business environment with everyone sharing files on a server or anything like that.
On Sat, 22 Mar 2014 00:59:49 +0000 Neil Sedger alug@moley.org.uk allegedly wrote:
If you don't need to access your remote machine then no you don't need a VPN. I use it rather than ssh because there's no need to tunnel ports, so e.g. my phone can easily see my samba shares, mediaserver, VNC desktops, access my smtp server... It can be done with ssh tunnelling but it's a bit more fiddly.
Intriguing. So you clearly trust your certificates to your 'phone (android or iOS?). Do you encrypt your 'phone? Are you sure that no app can lift your certificates? Do you use a passphrase with your certificates? And is that passphrase stored by your 'phone?
Paranoid of Tharston.
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
On Sat, Mar 22, 2014 at 10:40:50AM +0000, mick wrote:
On Sat, 22 Mar 2014 00:59:49 +0000 Neil Sedger alug@moley.org.uk allegedly wrote:
If you don't need to access your remote machine then no you don't need a VPN. I use it rather than ssh because there's no need to tunnel ports, so e.g. my phone can easily see my samba shares, mediaserver, VNC desktops, access my smtp server... It can be done with ssh tunnelling but it's a bit more fiddly.
Intriguing. So you clearly trust your certificates to your 'phone (android or iOS?). Do you encrypt your 'phone? Are you sure that no app can lift your certificates? Do you use a passphrase with your certificates? And is that passphrase stored by your 'phone?
That's always been my fear with public-key security, it would be only too easy to leave lap-top, tablet, phone set up to connect (e.g. pass phrase in ssh-agent) and thus allow someone else access.
I do use public-key but only for outgoing connections from my desktop machine to [relatively] unimportant systems out there on the internet, having the pass phrase the same as my login password means it's all passwordless once I've logged in to my desktop.
For incoming connections (ssh) to my desktop I use password authentication but only allow it from two specified IP addresses which are hosting accounts with ssh access. So to connect from some remote location I ssh to my hosting account and then ssh from there to my desktop.
Passphrase which is not stored by phone.
Maybe I should get one of those RSA dongles with the changing code... I expect the server isn't open source though :-)
Neil
On 22/03/2014 10:40, mick wrote:
On Sat, 22 Mar 2014 00:59:49 +0000 Neil Sedger alug@moley.org.uk allegedly wrote:
If you don't need to access your remote machine then no you don't need a VPN. I use it rather than ssh because there's no need to tunnel ports, so e.g. my phone can easily see my samba shares, mediaserver, VNC desktops, access my smtp server... It can be done with ssh tunnelling but it's a bit more fiddly.
Intriguing. So you clearly trust your certificates to your 'phone (android or iOS?). Do you encrypt your 'phone? Are you sure that no app can lift your certificates? Do you use a passphrase with your certificates? And is that passphrase stored by your 'phone?
Paranoid of Tharston.
On 22/03/14 00:59, Neil Sedger wrote:
If you don't need to access your remote machine then no you don't need a VPN.
Well it depends on the context, Chris I think your request would have made more sense within the context of the last thread ?
I use my home VPN not necessarily to gain access to resources at home but to tunnel my internet connection via my home gateway. This gets me around the ssh problem I have also encountered (as per the last thread) and means that if I use any unencrypted protocols then I am somewhat protected from snooping at the internet cafe end, or on larger wifi networks there have been reported issues with MitM attacks, which if you aren't paying attention could catch you out.
It also sometimes manages to bypass some of the captive payment portals but that's another story :-)
It does also mean that if I wanted to access resources at home then I don't have to expose them directly to the public internet, so I only have to worry about one easy to monitor and manage thing being compromised.
On Sat, Mar 22, 2014 at 12:19:12PM +0000, Wayne Stallwood wrote:
On 22/03/14 00:59, Neil Sedger wrote:
If you don't need to access your remote machine then no you don't need a VPN.
Well it depends on the context, Chris I think your request would have made more sense within the context of the last thread ?
I use my home VPN not necessarily to gain access to resources at home but to tunnel my internet connection via my home gateway. This gets me around the ssh problem I have also encountered (as per the last thread) and means that if I use any unencrypted protocols then I am somewhat protected from snooping at the internet cafe end, or on larger wifi networks there have been reported issues with MitM attacks, which if you aren't paying attention could catch you out.
So you connect (say) your laptop 'out there' to your home VPN and then access other resources in the internet 'from' the VPN. I can't really think of anything I do that would fit into that set-up. Do you access the web via this route? I must admit I do simply connect to the web directly from my laptop or tablet, I very rarely use internet cafés, last time was several years ago.
It also sometimes manages to bypass some of the captive payment portals but that's another story :-)
It does also mean that if I wanted to access resources at home then I don't have to expose them directly to the public internet, so I only have to worry about one easy to monitor and manage thing being compromised.
Yes, I can understand that, though again I can't actually think of much that I do along these lines. What source of 'resources' at home do you access this way? All of my resources tend to be text files which can be looked at via ssh in a terminal window.
On 22/03/14 00:59, Neil Sedger wrote:
I thought open SMTP was an internet no-no?
Well open relay SMTP is a no-no. But opening SMTP itself to the internet is kinda a prerequisite to getting email if you run your own mail servers :)
On Sat, Mar 22, 2014 at 12:22:19PM +0000, Wayne Stallwood wrote:
On 22/03/14 00:59, Neil Sedger wrote:
I thought open SMTP was an internet no-no?
Well open relay SMTP is a no-no. But opening SMTP itself to the internet is kinda a prerequisite to getting email if you run your own mail servers :)
Which is exactly what I'm doing, running Postfix which is supposedly reasonably secure.
On Sat, Mar 22, 2014 at 12:59:49AM +0000, Neil Sedger wrote:
If you really need those ports open to the world then no, no gain there. I thought open SMTP was an internet no-no?
No use if I want to connect from, say, someone else's machine, or from an Internet Café.
Yes that's what it's for. You don't need to restrict on IP address. You do need your private key which for OpenVPN is in a tiny text file.
If my home desktop *wasn't* a web server and an ssh server then the above might be of use but as it is I don't see a lot of point.
Indeed it's very similar to ssh, just more flexible. You can setup ssh to tunnel all ports you need but with VPN you don't have to bother.
You still haven't told me what I can actually *do* from a remote machine connected to my VPN server. Having access to my home machine as if it was on a LAN with the remote machine doesn't really strike me as particularly useful, it's not as if I have a typical business environment with everyone sharing files on a server or anything like that.
If you don't need to access your remote machine then no you don't need a VPN. I use it rather than ssh because there's no need to tunnel ports, so e.g. my phone can easily see my samba shares, mediaserver, VNC desktops, access my smtp server... It can be done with ssh tunnelling but it's a bit more fiddly.
OK, thanks, you've at least confirmed what the VPN can do for me. I've only one use for ssh tunnelling (a reverse connection back to an 'unmanned' remote machine behind firewall/NAT) so I'm not sure that VPN really does anything very useful for me.
-
Chris Green -
mick -
Neil Sedger -
Wayne Stallwood