From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id CBCED1382C5 for ; Sat, 7 Apr 2018 01:44:13 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6392BE0829; Sat, 7 Apr 2018 01:44:05 +0000 (UTC) Received: from mail-lf0-x232.google.com (mail-lf0-x232.google.com [IPv6:2a00:1450:4010:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C6A66E080E for ; Sat, 7 Apr 2018 01:44:04 +0000 (UTC) Received: by mail-lf0-x232.google.com with SMTP id j20-v6so2886645lfk.2 for ; Fri, 06 Apr 2018 18:44:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=46BTVfmK8sXino4R6Yxc8+bBXyxKT4HrsuJx6hXTlk0=; b=jKNzj0rMreqWCMQPea77/Rs4N4XFi8SoLX+eCFFQrCMdptZYFC0qVzPhe+f+P1zznQ c/3mI01DcsWUg0ahN1lSBzF4y9FcV7ZGzdXvlUOP0+BYi8dyl/SPE7Ew5cB9i9z4UfvO eG6AK7hw5+dzEi0gchfgcDjBmErsd2vXQxLDONZYlmODPxoAaKBICh7ErmTOBnuDoecM k+Y2uEcE+K7+9rW6XWIlNjfmqeEKBdtG+5dtpaMWZVFveZUaHaWn8Dc6lmho4xVJG5JZ YPyxWvzQWNoU3oqnTN452qnrk1O0cBjmJXvx9fc/p5/EWgBwLa5fub3iWcis5sA4hxhv sqFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=46BTVfmK8sXino4R6Yxc8+bBXyxKT4HrsuJx6hXTlk0=; b=cV7HnN5vRSmMxUbUwa8i4MNGG0L+xEBebBWDqD+osYrWA77KoXT+/TJIAyn8X6q358 yPLUp7yYDAnIqwqAt/EOTDVhLP+M51vu7ggi6gpfLTxQiwRW9pOITLQgZwNLBfRlHSt2 2METpbYLWAhiS7+eZ2u9ZFsZT986Q9rQnpZ/xGvzEcWlV4evHOKbWKVKPyOvpwlrPiFQ y6mWxYcDFniPqZbXf33nupTzV33dSDndqI6YRjHQ8zwfnlCRogh2mzNE979gyfTcFQnU o6KCQ5o7lLhxwLhhfgMh3FO2MTKElwaSoUkvWd1zmySBGcMpful+ulGeTJsn5eL1rd4Q lpjw== X-Gm-Message-State: ALQs6tB2ZLztfuwiT8YKvIzbiKndEXH0U8XOEq+THCOoqK5p/kJVbkzU KrXfQM+vVJgmQSooTJ/R2dMlOa+WXC/RBU7ewgM= X-Google-Smtp-Source: AIpwx48iLlBTQWIWS1lIw6cUq+4JICF+asrNlfLzo2ShWr2qt6FiuJuYkzwdaccnVTb4UcTR9RsMtygFm02yCRkYbPs= X-Received: by 2002:a19:8f91:: with SMTP id s17-v6mr17935266lfk.56.1523065442585; Fri, 06 Apr 2018 18:44:02 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.46.18.71 with HTTP; Fri, 6 Apr 2018 18:44:01 -0700 (PDT) In-Reply-To: <1992980.6RBP82CMcb@dell_xps> References: <1992980.6RBP82CMcb@dell_xps> From: R0b0t1 Date: Fri, 6 Apr 2018 20:44:01 -0500 Message-ID: Subject: Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux? To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: 751b7852-5d5a-4bdb-8757-c613dfcdf19b X-Archives-Hash: 433fe4d1bb3cfa075c7e13d6d1112cb8 On Fri, Apr 6, 2018 at 12:58 PM, Mick wrote: > On Friday, 6 April 2018 00:10:00 BST Grant Taylor wrote: >> On 04/05/2018 03:51 AM, gevisz wrote: >> > Yes, the Host is running Windows. >> >> Seeing as how both the ""Host and the ""Client are running Windows, I >> would think seriously about trying to leverage Windows' built in VPN >> capabilities. >> >> The following things come to mind: >> >> - (raw) IPSec - this might be somewhat challenging b/c reasons > > I think you mean IKEv2 + IPSec? > > IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the > tunnel itself. The tunnel is operating at layer 2, so TCP/UDP/ICMP will all > be encrypted when sent through through the IPSec encrypted tunnel. > > >> - L2TP+IPSec - probably less challenging b/c of wizards > > This is using L2TP for encapsulating the frames + IKEv1 for secure key > exchange + IPsec for encryption of the L2TP tunnel. > > >> - PPTP - just don't unless you haveto > > Well said: > > https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security > > It is an obsolete method with poor security. I would not use it under any > circumstances, unless security is of no importance. > > >> I'd encourage your friend to check out the VPN capabilities built into >> Windows. He may need to install / configure (R)RAS to enable the features. > > As I mentioned before, there is also IKEv2+IPSec, which allows the client to > roam between networks without dropping the connection. > > Finally, there is SSTP encrypting PPP frames within TLS. I don't know why one > would use this instead of OpenVPN, except that it comes as part of the > MSWindows package, while OpenVPN has to be installed separately. > > >> In my experience, using native features that come from the software >> vendor is often simpler to maintain long term. > > +1 > > They are also easier to set up initially, because both MSWindows peers will > use the same combo of encryption suites, ciphers, etc. You mean the same horribly insecure ciphers? The built in options are so weak that I am not aware of anyone seriously using them; most setups tunnel Windows technologies like RDP (which may sometimes insist on being set up with encryption) over Linux based technologies.