On 13/10/11 18:38, Daniel Baumann wrote: > On 10/13/2011 05:22 PM, Daniel Pocock wrote: >> which type of VPN is most appropriate and easy to set up with Debian Live? > > regarding 'apropriate': i personally would probably go with ipsec if the > image would be for me only, however, simple ssh tunnel looks like the > better generic/compatible solution.
IPsec is good, but it entails virtual IP allocation, etc. As the Debian Live media is portable (and easily lost or stolen), the server needs to heavily filter any IP traffic from the Live host. This could be done using a custom updown script with StrongSWAN (just using leftfirewall=yes allows all IP traffic through the tunnel). ssh is the opposite, it only does the port forwarding that is explicitly requested - but ssh is not `always up' in the way IPsec is. Something needs to start it and make sure it stays running. inittab and cron jobs come to mind. In both cases (IPsec or ssh), some kind of cert or key pair needs to be installed in the ISO image. Can you make any comment on how key generation (and maybe even a CSR workflow) could or should be integrated in the live-build workflow? It occurred to me that - it may be useful to have some convenient way of making a series of discs where each one has a distinct key or cert, but otherwise identical content, - and also, several apps on the disc may want to share in a single cert (e.g. in addition to the VPN, some HTTP client code may want to use the same cert for authenticating itself) > regarding 'easy': wrt/ debian-live, it's all the same. > I agree - I've built 4 images already, every one of them worked immediately and with minimal effort -- To UNSUBSCRIBE, email to debian-live-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e98ad45.6090...@pocock.com.au
