[CentOS] VPN suggestions centos 6, 7
heinlein at madboa.com
Mon Apr 4 20:08:02 UTC 2016
On Mon, 4 Apr 2016, david wrote:
> I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan
> (and probably others I haven't noted). I'd be interested in hearing
> from anyone who wishes to comment about which to use, with the
> following requirements:
> 1) As noted, it should be secure (anti NSA?)
> 2) Works on Centos 6 and Centos 7 and Windows 7 (and for the
> future, Windows 10)
> 3) Can be set up on the server with command line interfaces
> only (no GUI)
OpenVPN can be all that. I say "can be" because you'll want to
research how best to configure it. Done poorly, it won't be as secure
as you want. Thankfully, there are a lot of blog posts and list
threads to consult; it won't take more than a couple hours of reading
to work out the base configuration.
> And, should not be a nightmare to set up.
This might be a problem. :-)
OpenVPN is designed to scale pretty well, but scaling it requires a
decent knowledge of SSL infrastructure: creating, distributing, and
revoking certificates. The Easy-RSA utility can ease the process, but
using it securely takes time and reading.
A very small OpenVPN setup can be done with shared static key, but
that approach has its own disadvantages (no PFS, all keys in plain
text, no distribution mechanism).
In short, OpenVPN is an excellent toolset that can be made very secure
-- and will manage much of the complexity for you -- but it requires a
non-trivial amount of effort to configure correctly.
To paraphrase The Princess Bride: Security is pain. Anyone who says
differently is selling something.
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
More information about the CentOS