Thanks David & Jan for the kind and informative responses. It might be true, but I feel it would be a pity if one had to be so well versed in networking to set up a VPN to help (what I feel the situation is, irrespective if it's true or not ;)) the 50-70% of users who really want a rather modest solution to a problem shared by others.
I'll retreat into the shadows again after this, but I did want to share at least my own perspective. I'm not a great one for RTFM when confronted with a few hundred pages of docs, but I've been studying packets and configuring routers and doing network security architecture for over 20 years, and I for one found it hard, not conceptually, but… I've always felt that there was something I was missing. Maybe that something is in the docs, lol. Or perhaps the GUI, since I'm rather pixel-phobic, I may well have missed some key points. Upon further reflection I think that some of the configuration terminology is part of my own issues… I'm not even sure why words like "local" and "remote" are in there vs. "client" and "server", and don't get me started on tun & tap (what's wrong with the words layer 2 and layer 3?), but perhaps they were there back when openvpn was started, I honestly don't know. Again, it's all starting to sink in for me personally, but it's been a rough road. I think also that, coming from the minimalist unix-y background, I yearn for the smaller lighter programs that plug in or pipe together, and I suppose my own biases are to look at something with 269 options (at least, so egrep sez!) with deep suspicion and at times confusion. It's not that they don't all belong in a framework, but one program…? Anyway, thanks again, and I *am* using openvpn, so thanks for not taking my critique as a failing on the great devs and folks working on the problem. But I'll still vote for more auto-negotiation and ease of use vs. more functionality :) As I get older I treasure software and systems that just work more and more, *especially* the complex ones. My 2 cents! dan On Aug 6, 2013, at 3:10 AM, Jan Just Keijser <[email protected]> wrote: > Hi David, > > nice answer, David, and thanks for promoting the book ;) > > Your basic points are correct , of course: > - networking is hard > - security is hard > > Configuring openvpn can be daunting at first, but it is not nearly as bad as > configuring PPTP , or - GASP! - IPSec+L2TP. > Documentation can help , of course, but to do things right will always > require work. > Also, each setup is unique: there are some default setups, of course, > most/some of which are covered in my cookbook, but after answering a lot of > questions on the mailing list and forums I've found that each networking > setup is unique and openvpn needs to be adjusted for it. I've always found > the flexibility of openvpn its true power - but with great power > (flexibility) comes great responsibility (about documenting things). > > Dan also has a point however: we should watch out for introducing new > features that nobody really understands how to use or why you would use them > - the docs should be kept up to par with the features. My cookbook, for > example, does not cover any of the features found in 2.3 like IPv6 - I hope I > can write an update in the near future. I was and am hoping that an > auto-negotiate feature would improve the usability of openvpn - if you can > negotiate and or push more settings from the server to the clients then the > client configs can be as simple as possible , which should reduce complexity. > > JM2CW, > > JJK > > > > David Sommerseth wrote: >> On 05/08/13 19:52, dan farmer wrote: >> >>> To start with - I really, really appreciate the work that's gone into the >>> program. >>> I've released stuff myself, and it's not an easy process, especially for >>> something >>> as complex and with so much functionality as openvpn. I get that. >>> >>> But from a user's perspective - anything that can make the horror known as >>> openvpn configuration easier would improve openvpn's adoption considerably. >>> >>> Here's a true tale. I'm writing a little thing to use openvpn. I'd like >>> to think I know networks a bit - more on the theory at times than >>> implementation, but whatever. >>> >>> OpenVPN ranks up there with pgp and openssh for the most fucked up and >>> mysterious configurations I've ever seen (it is not a coincidence that >>> they're >>> all crypto programs, I believe.) It is legendary among non-openvpn people >>> to >>> be ridiculously difficult. I'm actually pretty sure that if one is an >>> openvpn person >>> who knows you're doing it's not that bad, or even makes some internal >>> sense. But I'd wager that high-ninety% of your user base doesn't fall into >>> that camp. Well, of your potential user base, that is, most don't get that >>> far. >>> >>> I am not saying this to say "everything is fuxx3d up" or something. I'm >>> telling >>> you because it took me a couple of days to get even the most basic thing >>> really >>> working on a not-terribly-complex setup. And while I understand the >>> conceptual >>> matters of your program, honestly, I fear to set it up, and have little >>> faith that even >>> if I get it running it'll do what I want it to. >>> >>> I'm not even complaining for myself - I'm a big guy, I can take care of >>> myself, and take it or leave it - but for others….. >>> >> >> [...snip...] >> >> The documentation to OpenVPN might feel daunting, but it really isn't >> that bad if you just get started on the easy paths. And if you really >> want a hand-held guide through setting up OpenVPN ... go grab this book: >> >> <http://www.packtpub.com/openvpn-2-cookbook/book> >> >> I'm not aiming this message against you, Dan, so please don't take it as >> an personal attack of any kind. >> >> The biggest problem, from my experience, isn't that people don't >> understand the official docs. But they use external sources for setting >> up OpenVPN, like random blog or forum posts on sites not controlled by >> the OpenVPN community at all. And really, in 99% of all those posts, >> they contradict each other or basically recommend completely clueless >> setups which are just plain wrong. Why? Because these writers often >> don't understand NETWORKING at all. >> >> First of all, if you want to setup any kind of VPN, you NEED to >> understand basic networking. If your network experience is based on >> setting up a home router and you got it working, then you know NOTHING >> about networking. Go read about how TCP/IP functions and at minimum >> learn the BASIC ROUTING. Without that, you're going to get lost. >> >> Next, OpenVPN configurations are basically 2 parts. It's the security >> part, which involves setting up security parameters (ciphers, keys, etc) >> and which host to connect to. The other part is NETWORK ROUTING. No >> matter what kind of VPN setup you configure, you must understand >> routing. Then there is the more advanced parts, such as firewalling, >> MTU, fragmentation, and similar topics. >> >> Most people I've met on #openvpn, in this mailing lists and those times >> I've looked at our forum, they struggle with the latter. Almost >> everyone manages to set up and configure OpenVPN server and clients and >> make them connect without much help at all (when having issues, it's >> mostly related to PKI setups). They usually show up when their brand >> new OpenVPN setup doesn't pass traffic through their OpenVPN server or >> client. Which really makes me repeat what I've said in the two past >> paragraphs: To setup VPN you MUST UNDERSTAND BASIC NETWORK ROUTING. You >> say "briding"? I'll repeat: NETWORK ROUTING. Really! >> >> And many of those who begin to struggle, seek help in various wikis, >> blogs and whatever else they find. But the *minority* of these sources >> explains things correctly. I think I've seen just a handful of those >> thousands of blogs which really makes sense. Unfortunately, I've not >> indexed the good sources. >> >> At the end, I'll provide a few pointers which hopefully can help people >> solving their issues. >> >> * Learn about TCP/IP networking, read especially chapter 3.1 in this >> book: <http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf>. I'll >> repeat: You MUST know how network traffic travels between hosts and routers. >> >> * Then first configure a very simple OpenVPN setup, based on this HOWTO: >> <http://openvpn.net/index.php/open-source/documentation/miscellaneous/static-key-mini-howto.html> >> >> Go through this one, step by step. >> >> * Use the man page as a companion and read about what each option used >> above does: >> <https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage> >> >> * Extend the configuration above with a PKI setup (enhacned security): >> <http://openvpn.net/index.php/open-source/documentation/howto.html#pki> >> >> * Set up a reasonable routed network configuration with firewalling, >> based on this one: >> <https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting> >> >> >> By going through these steps, I believe most users should be able to set >> up a working VPN. >> >> But it's a lot to learn, if you haven't done this before. There are no >> shortcuts into setting up a VPN. You simply must learn these basic >> steps. The cookbook I mentioned in the beginning might make things >> easier to get started, but you still need to do some learning; at least >> when things doesn't work as expected. >> >> >> > > ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
