[ previous ] [ next ] [ threads ]
 From:  Peter Curran <peter at closeconsultants dot com>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall-dev] OpenVPN
 Date:  Wed, 9 Feb 2005 13:04:47 +0000

> Were I to need to link 2 * m0n0wall sites, I'd probably (right now)
> still use IPSEC between these sites.  However, should I need to link a
> Windows user to a m0n0wall via a VPN, I'd tend to look at using the
> OpenVPN option - that's kinda where I stand with this right now.

That's where I started - OpenVPN is a no-brainer for windows->m0n0.

> OpenVPN seems to be one of - if not the - best implementations of a
> **true** SSL VPN available today.  I'm definitely pro-OpenVPN's
> inclusion in m0n0wall.

OpenVPN is pretty cool and fast.  Not sure about a 'true' SSL VPN.  Most SSL 
VPN's are sold as 'clientless'.  OpenVPN just uses the TLS security wrappers, 
it does not implement secure sockets (the API).

> As another point to note, I'd still really like to see m0n0wall be able
> to create x.509 certs.  Would ba handy for those smaller networks that
> don't have this capability on an internal server.  Tho these days, these
> should be few and far between.

Just watch this space - it is on my work list....

The issues:
--  It is easy-peasy to provide a cert interface, but using the openssl(8) 
command which adds almost 1 meg to the  m0n0 base (IMHO not acceptable).

-- To get the functions without the fat, use the OpenSSL PHP function library.  
This does all the basic stuff we need, but does not handle PKCS#12 which is 
high on my 'must have' list.  Solution:  Add this into the library (I am 
playing with this currently).

-- Should m0n0wall be a CA?  Not the best deal for a GP firewall, so maybe 
this should be a module rather than a standard part of the distro.  This is 
what I am working on....

This is a fun development area, but this is lots more to do yet before we have 
a complete and stable implementation for 1.2 release.