On Wed, 13 Feb 2008 08:19:48 -0800 Grant <[EMAIL PROTECTED]> wrote: > > > > Even if you just want to encrypt some clear-text protocol that > > > > doesn't have an encrypted equivalent, a vpn is still overkill. > > > > For that you use ssh tunneling (which is essentially the same > > > > thing as an encrypted version of a protocol). 'ssh -X' is the > > > > classic example of easily tunneling a protocol that doesn't > > > > have a native encrypted equivalent. > > > > > > I see what you're saying. Can tunneling through ssh be made > > > automatic so that a cron job initiates a script that opens a > > > tunnel between the remote server and local print server and pages > > > are printed through the tunnel? > > > > Sure. ssh is just a process after all and in principle encapsulated > > whatever gets put into it. All you need is a connection that isn't > > firewalled out and an sshd that is listening to what is coming in. > > > > ssh will even port forward for you and can be made to transform any > > tcp connection to appear to come from whatever port you want. What > > you put inside the tunnel is up to you. If the print server won't > > accept what is coming in, then google will find you any number of > > apps that will mangle the traffic. > > > > > > Your statement "it seems like running SSH inside a VPN is better > > > > for security than running SSH on a non-standard port" is > > > > non-sensical. From a security and encryption perspective, ssh > > > > and OpenVPN are exactly the same thing - stuff wrapped in an > > > > encryption layer provided by ssl, complete with exactly the > > > > same key setup should you choose to use that route. > > > > > > What about having ssh, imap, smtp, cups, and possibly a > > > non-standard https port all hidden within a VPN? Should that be > > > considered a benefit of running a VPN? > > > > I've filed the original post somewhere else and forgot the > > scenario :-) Is this a setup you need to be present often or even > > all the time? If so, you have 5 protocols in use, and setting up > > tunnels could become cumbersome. You might consider that it's more > > effort than it's worth and a VPN that is there and JustWorks(tm) is > > preferable. I would call that a sensible use of a VPN :-) > > > > I don't think there's a golden rule about when using a VPN is right > > or wrong. It's more like "do the advantages outweigh the hassle of > > setting it up and maintaining it?". Sometimes this answer is > > obvious, sometimes less so. Sometimes it's a judgement call. > > Thanks a lot for everyone's help. Here is a more to-the-point list of > what I'd like to accomplish: > > 1. encrypt CUPS printouts between remote server and local print server > 2. add an additional layer of security around SSH and CUPS on local > firewall/print server > 3. add an additional layer of security around SSH, IMAP, and > non-standard port HTTPS on remote server > 4. enable access to SMTP on remote server for me which is blocked by > my local ISP > > It sounds like I have 3 choices: > > 1. VPN > 2. SSH tunneling > 3. Zebedee tunneling > > Would all 3 of these choices accomplish all 4 requirements? I would > think SSH tunneling can't really add an additional layer around SSH.
Encrypted packets, encrypted? Why not? > I'd like to have something I can leave up all the time so the services > are always protected and I don't have to go through an extra step to > use email or print from the remote server. Can all 3 of these be left > up all the time? Is there any reason not to leave this type of > functionality up all the time? I don't use tunnels, but leave VPN up all the time. > It sounds like VPN would be the most difficult to set up and maintain, > followed by SSH tunneling, followed by Zebedee tunneling. Maybe I'm > wrong though. With tunneling, would I need to set up 4 or 5 different > tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm > using Zebedee)? tunnels aren't configured, but would probably have to be created at boot. vpn is, I suppose, not super easy to configure. I will send you my config files though if you want. > To send me mail, mail servers need to connect to my remote server's > SMTP right? Would setting up a tunnel or VPN for my SMTP access > interfere with that? Not if you tunnel through to the right ports - or in the case of a VPN, no. -- gentoo-user@lists.gentoo.org mailing list
