[colug-432] VPN types

[Rick Hornsby]

> On Dec 16, 2015, at 16:37, Rob Funk <rfunk at funknet.net> wrote:
> 
> Rick Hornsby wrote:
>> There are multiple VPN types out there - PPTP, L2TP, SSTP, OpenVPN
>> (and subtypes UDP, TCP, "Proxy", and IPSec).
> 
> That's mixing up a few different things, but I'm not familiar with
> everything you mention.

Right - I should have been more clear.  In the StrongVPN client, the major types are ones I can typically select, and the subtypes listed are ones that I can make a further selection from when choosing OpenVPN.

> 
>>> From what I've read:
>> 
>> * Stop using PPTP, it is based on very old Windows-era stuff that's
>> weak and cryptographically broken
> 
> True. The major advantage to PPTP is the simplicity of per-user
> usernames and passwords, without generating certificates of any kind.
> But that simplicity comes at the expense of security, both at the
> password level and at the PPTP encryption level.
> 
>> * OpenVPN is the new hotness, and uses some kind of SSL tunneling.  I
>> don't understand the subtypes or why one subtype is better than the
>> other.
> 
> OpenVPN is basically wrapping your network connection in SSL/TLS
> tunneled through UDP or TCP.
> 
> UDP is theoretically better when packets may get dropped and you're
> using TCP on top of the VPN. That's because UDP behaves the same as
> the underlying IP packets would without the VPN, while using OpenVPN
> over TCP means that when packets are dropped you have two nested TCP
> connections trying to handle the retransmission.

Thanks for the explanation of the different types and the consequences, that helps a great deal.

I used to use SSH tunneling, but it came with two major drawbacks: Like UDP OpenVPN, ssh is sometimes blocked locally, and secondly it requires the application layer to support and understand how to route traffic through a SOCKS5 proxy.  That's fine for most web browsers (though I question if DNS queries were using the tunnel), but that itself causes a few issues - the two big ones are applications that don't support SOCKS5 are running unencrypted and it requires configuring and later un-configuring the browser.

SSH tunneling still has a lot of valid uses. It can just be a lot more work than a VPN - which lets the OS control the traffic flow and ensures that applications at layer 7(?) don't have to think about the tunnel.  The goal is to encrypt all the traffic until it can reach a known, wired endpoint for getting to the larger interwebs.  Call me paranoid, but I've come to the point where I don't trust wireless (including the "personal device" wifi at work) or third party (i.e. hotel) wired connections.

-rick