[CentOS] VPN suggestions centos 6, 7

Mon Apr 4 20:08:02 UTC 2016
Paul Heinlein <heinlein at madboa.com>

On Mon, 4 Apr 2016, david wrote:

> I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan 
> (and probably others I haven't noted).  I'd be interested in hearing 
> from anyone who wishes to comment about which to use, with the 
> following requirements:
>
> 1)  As noted, it should be secure (anti NSA?)
> 2)  Works on Centos 6 and Centos 7 and Windows 7 (and for the
>     future, Windows 10)
> 3)  Can be set up on the server with command line interfaces
>     only (no GUI)

OpenVPN can be all that. I say "can be" because you'll want to 
research how best to configure it. Done poorly, it won't be as secure 
as you want. Thankfully, there are a lot of blog posts and list 
threads to consult; it won't take more than a couple hours of reading 
to work out the base configuration.

> And, should not be a nightmare to set up.

This might be a problem. :-)

OpenVPN is designed to scale pretty well, but scaling it requires a 
decent knowledge of SSL infrastructure: creating, distributing, and 
revoking certificates. The Easy-RSA utility can ease the process, but 
using it securely takes time and reading.

A very small OpenVPN setup can be done with shared static key, but 
that approach has its own disadvantages (no PFS, all keys in plain 
text, no distribution mechanism).


In short, OpenVPN is an excellent toolset that can be made very secure 
-- and will manage much of the complexity for you -- but it requires a 
non-trivial amount of effort to configure correctly.

To paraphrase The Princess Bride: Security is pain. Anyone who says 
differently is selling something.

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/