Contributed by merdely on from the puffy-invades-venice dept.
OpenCON 2007 in Venice starts Saturday. But Friday provides attendees with a choice of two tutorials (out of four): Alessio Pennasilico's Introduction to OpenBSD or Peter N. M. Hansteen's PF Tutorial in the early part of the day and a Ports Tutorial by Bernd Ahlers or Felix Kronlage's talk on VPN Technologies in the later part of the day.
I was able to sit in on the tutorial on PF and the one on Ports. Darrin Chandler attended the VPN talk. Accounts from three of the tutorials follow. If you were able to attend Alessio's talk, please leave a comment.
The PF Tutorial started with a background of PF's history. Peter went through the basics of writing rules, making ftp work, not blocking icmp, securing wifi, hoststated, spamd, DMZs and carp. Not only was it a great introduction to PF for new users but covered more advanced topics for existing PF users. And the talk was a great companion for his upcoming book.
In the afternoon, I sat in on Bernd's Porting Tutorial. He spoke about basic porting philosophies and where our ports structure came from. He highlighted different the components of a port (directories and files) and then went through many of the parts of the Makefile. With audience participation, Bernd then led a demonstration of creating, building and packaging a new port. Since the demonstration included a very simple port, he covered more complex porting issues like reviewing the make configure output to fix errors and prevent unwanted dependencies and implementing FLAVORs and MULTI_PACKAGES.
Darrin attended VPN Technologies available on OpenBSD by Felix Kronlage:
Felix began with a high level overview of VPNs, and moved quickly into explanations of isakmpd and ipsecctl. It became very obvious that ipsecctl provides an extremely easy and functional interface. He then treated us to a working demonstration and walked us through the config files. For many common situations you can start from scratch and go to a working VPN in 5 minutes. I'd heard this before, but seeing it in action made me a believer.Then Felix quickly showed how to make a "poor man's" VPN using OpenSSH. We didn't spend much time there, but once again the configuration was very simple, involving only creating a tunnel on each side and one ssh command.
Last came a good look at OpenVPN. For most situations the VPN solutions in the base install will be preferable, OpenVPN offers some solutions for corner cases such as VPN through an http proxy or handling Windows clients easily. It's a very flexible tool that can be adapted to a large variety of situations. I'd always avoided OpenVPN in the past, but I'll be keeping it in mind for those odd situations.
(Comments are closed)
By Anonymous Coward (166.70.233.252) on
With resepect to VPN, I always choose to use OpenVPN. Correct me if I am wrong, but it is the best crossplatform Open Source VPN solution. Nowdays Windows clients in a production VPN deployment are rarely a corner case.
At any rate, IMO, if OpenBSD's ipsec implementation would like to expand its "market share" one of these up and running in 5 minutes tutorials should find its way into FAQ or User's Guide as PF has long time ago.
It's one thing to find it in a blog entry somewhere, but quite another read it on the official pages. (And I am not aware of a manual page that describes how all the pieces would fit together and get everything up and running smoothly.)
Comments
By Anonymous Coward (99.238.231.53) on
You are wrong. Where's the openvpn for cisco IOS, or any of the dozens of other proprietary firewalls people have to interoperate with? They all do ipsec, none of them do openvpn. And windows has ipsec support out of the box. If you aren't setting up the people's laptops yourself, then use one of the open source GUI tools to configure windows ipsec, so the end users can have it just as easy as openvpn.
Comments
By Anonymous Coward (24.37.242.64) on
>
> You are wrong. Where's the openvpn for cisco IOS, or any of the dozens of other proprietary firewalls people have to interoperate with? They all do ipsec, none of them do openvpn. And windows has ipsec support out of the box. If you aren't setting up the people's laptops yourself, then use one of the open source GUI tools to configure windows ipsec, so the end users can have it just as easy as openvpn.
OpenVPN works by tunneling over SSL (OpenSSL).
As for configuring OpenVPN on laptops, I know there's a way to create a custom-configured MSI 'package' or other that can be distributed and installed easily by the user without any real interaction.
As for VPN 'to/from' the firewall appliances themselves, I'm curious as to why this is needed or why anyone would do such a thing?
Comments
By Anonymous Coward (219.90.160.206) on
Connecting multiple machines to a VPN?
By Anonymous Coward (208.191.177.19) on
The comment about Windows IPSEC carries more weight, though. I don't think that is all that hard to set up any more.
By Joshua Bromfield (203.185.246.193) on
While I was on Peters website I also found his manuscript on pf very helpful:
http://home.nuug.no/~peter/pf/
Comments
By Anonymous Coward (85.139.179.22) on
>
> While I was on Peters website I also found his manuscript on pf very helpful:
>
> http://home.nuug.no/~peter/pf/
anyone with the VPN Tutorial?
Comments
By Darrin Chandler (dwc) on http://www.stilyagin.com/darrin/
> >
> > While I was on Peters website I also found his manuscript on pf very helpful:
> >
> > http://home.nuug.no/~peter/pf/
>
> anyone with the VPN Tutorial?
I believe Felix will post his slides some time in the future. Check http://www.openbsd.org/papers/ now and then to see what's new. :)
By Anonymous Coward (204.80.187.5) on