[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 12/10/2019 17:27, mr meowski wrote:
Additional information from a VPN veteran follows: pfsense have a rather tarnished reputation (google it) and the backing of a commercial company with a history of dubious actions - avoid. Opnsense is a forked alternative (opnsense.org) and generally a wiser choice. That being said, despite their reputation there is nothing particularly special about VPNs and one certainly doesn't need to limit their deployment to certain tailored firewall/gateway/vpn type distributions such as pfsense/opnsense. On Linux and BSD operating systems particularly deploying a VPN isn't complicated any more. Don't deploy VPNs on Windows if you value your sanity although that is probably redundant advice here. Tools such as Algo (https://github.com/trailofbits/algo) are suitable for novices and experts and greatly ease the deployment of VPNs to cloud infrastructure in a few easy steps. For anyone shopping for a commercial VPN service you have my sympathy - it's a minefield. For what it's worth I have a personal recommendation after years of trying out most of them: https://mullvad.net/en/ Usual disclaimers apply: I am in no way affiliated, etc, etc. Best I've found so far by a mile but obviously you should do your own research. Speaking of which this is _the_ place to start for VPN comparisons: https://thatoneprivacysite.net/ Finally, 'old' VPN technology is clunky and horrible and although it's taking forever to mainline into the kernel Wireguard has already seen serious uptake amongst the sort of people who actually have to work with and admin this stuff on a daily basis. https://www.wireguard.com/ Better in pretty much every way than the horrors of IPsec and OpenVPN - a simple Raspberry Pi at each end is more than powerful enough to handle basic site-to-site VPN links and Wireguard sets up, tears down and tolerates faults far better than the old alternatives. We don't do VPNs like we used to. They live in container instances and you manage them with systemctl or docker or k8s. Cheers
I think all your comments neatly tie nicely in with the issue of "trust" that we brought up in the talk and I completely agree with them. Any Consumer VPN you choose is going to have to be one that you trust, and is a personal deicsion that you have to make, or choose one yourself.
We looked at StrongSWAN (GPLv2), and OpenVPN (consumer version - and yes, licensing information is obscure - it is essentially tied to a commercial product), Pfsnse (Apache License) - yet another license! - more confusing.
I made an effort to not advocate a particular solution, but did focus on common solutions which all share the same configuration parameters.
I cannot emphasise enough the issue of "trust", when it comes to implementing a privacy solution from a third party provider, and I re-iterated that every time we discussed it at the talk.
Cheers, Giles -- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq