Hi Grant, On Tue, Feb 12, 2008 at 8:11 AM, Grant <[EMAIL PROTECTED]> wrote: > > > I'm hoping to use the vpn in three few ways: > > > > > > 1. imap and smtp between my laptop and the mail server > > > 2. ssh from my laptop to the remote server > > > 3. cups printing from the remote server to the print server > > > > I don't think you need a VPN to SSH from your laptop to the remote > > server -- SSH is already encrypted. > > For sure, but it seems like running SSH inside a VPN is better for > security than running SSH on a non-standard port or even port > knocking. If I need to set up a VPN for printing, shouldn't I use it > for other stuff too? Maybe not, I have yet to actually use a VPN so > please correct me if I'm wrong.
There are other ways to make SSH more "secure". For example, you could only enable PubkeyAuthentication while disabling all other methods of Authentication, then use a large (4096-bit?) key pair with a strong passphrase[1] and use keychain[2] so you don't have to type in the passphrase all the time. OK, I'm exaggerating a bit with those passwords from GRC, but you get the idea. [1] https://www.grc.com/passwords.htm [2] http://www.gentoo.org/proj/en/keychain/ Also keep in mind the added overhead with OpenVPN -- your encrypted SSH traffic is again encrypted by the VPN. > > If your laptop is always behind your local firewall, then it should be > > sufficient to have an OpenVPN tunnel established between your local > > firewall/print server and your remote server. This should allow you to > > print. > > > > Configuring the routes on your laptop to go through your local > > firewall and VPN to the remote server should allow you to grab your > > mail. > > > > If you move around with your laptop then you'll need to establish the > > VPN tunnel to your remote server anytime you need to grab your mail > > from anywhere else but home (behind your local firewall). > > Ah, tunnels, OK. I need to think in terms of tunnels. I'll > definitely be moving around and won't be behind my local firewall too > much of the time. Can I set up the openvpn server on my remote system > and keep a tunnel open between it and the firewall/print server for > printing, and also initiate a tunnel between the laptop and the remote > system whenever I need to mail or SSH? Does that sound like a good > plan? Yep, that should work. With a 'permanent' tunnel established between your remote server and your local firewall/print server, you'll always have access to those too simply by connecting via VPN to your remote server. You can print from your laptop to your printer at home while overseas, for example. Mike -- gentoo-user@lists.gentoo.org mailing list
