[CentOS] Optimal VPN

Wed Nov 24 21:34:56 UTC 2010
Nataraj <incoming-centos at rjl.com>

tony.chamberlain at lemko.com wrote:
> I am looking for the optimal VPN. Well it doens't have to be that elaborate.
> Just the best VPN. We currently have some customers using PPTP, some using
> openvpn, some using Cisco Any Connect and there are a few others.
>
> So my question is, if you have control of both ends (client and server)
> what is the best VPN to use? There are not too many requirements, but a
> big one is
>
> The VPN must return the same IP address to the same user each time
>
> That is there must be a specific IP address assigned to a user/password
> combination. pptp does not really do this but I wrote sort of a backend
> (or maybe frontend? ;-) ) to change the IP address assigned based on a
> login and password. It is extra stuff I would prefer not to do though.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   
My sense is that openvpn is the easiest to configure, the most robust 
and fault tolerant, as far as keeping connections up and reestablishing 
failed connections.  The downside of openvpn is incompatibility with 
most mobile devices, not relevant if you are able to install openvpn 
clients.  You can configure fixed IP addresses using either the ccd 
files or the client-connect script.

Based on other discussussions on the list my recollection is that IPSEC 
provides better performance if you need GigE or better data rates on 
your VPNs.  My sense is that IPSEC may be more difficult to configure 
and less robust at keeping connections up, but this has probably 
improved in recent years.

The main advantage to pptp that I see is compatibility with mobile 
devices.  A disadvantage of PPTP, as far as I know it cannot easily be 
tunneled through something like a linux firewall because it uses 
non-standard protocol packets (not TCP/UDP).

Both OPENVPN and IPSEC can easily be tunneled through most firewalls.

Though I have not researched this extensively, just based on watching 
list of security updates that get released for Centos, Fedora etc, It 
seems that OPENVPN has had very few security issues.  I have definely 
seen a few for strongswan and openswan (both are IPSEC 
implementations).  Again this is just gut feeling, not the result of any 
investigation.  I do note though that OPENVPN runs easily in a chroot 
environment, just by enabling options in the config file.   I'm not sure 
if openswan or strongswan can do this.

Nataraj