On Mon, 4 Apr 2016, david wrote:
I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan
(and probably others I haven't noted). I'd be interested in hearing
from anyone who wishes to comment about which to use, with the
following requirements:
1) As noted, it should be secure (anti NSA?)
2) Works on Centos 6 and Centos 7 and Windows 7 (and for the
future, Windows 10)
3) Can be set up on the server with command line interfaces
only (no GUI)
OpenVPN can be all that. I say "can be" because you'll want to
research how best to configure it. Done poorly, it won't be as secure
as you want. Thankfully, there are a lot of blog posts and list
threads to consult; it won't take more than a couple hours of reading
to work out the base configuration.
And, should not be a nightmare to set up.
This might be a problem. :-)
OpenVPN is designed to scale pretty well, but scaling it requires a
decent knowledge of SSL infrastructure: creating, distributing, and
revoking certificates. The Easy-RSA utility can ease the process, but
using it securely takes time and reading.
A very small OpenVPN setup can be done with shared static key, but
that approach has its own disadvantages (no PFS, all keys in plain
text, no distribution mechanism).
In short, OpenVPN is an excellent toolset that can be made very secure
-- and will manage much of the complexity for you -- but it requires a
non-trivial amount of effort to configure correctly.
To paraphrase The Princess Bride: Security is pain. Anyone who says
differently is selling something.
--
Paul Heinlein <> heinlein@xxxxxxxxxx <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
