> Were I to need to link 2 * m0n0wall sites, I'd probably (right now)
> still use IPSEC between these sites. However, should I need to link a
> Windows user to a m0n0wall via a VPN, I'd tend to look at using the
> OpenVPN option - that's kinda where I stand with this right now.
That's where I started - OpenVPN is a no-brainer for windows->m0n0.
> OpenVPN seems to be one of - if not the - best implementations of a
> **true** SSL VPN available today. I'm definitely pro-OpenVPN's
> inclusion in m0n0wall.
OpenVPN is pretty cool and fast. Not sure about a 'true' SSL VPN. Most SSL
VPN's are sold as 'clientless'. OpenVPN just uses the TLS security wrappers,
it does not implement secure sockets (the API).
> As another point to note, I'd still really like to see m0n0wall be able
> to create x.509 certs. Would ba handy for those smaller networks that
> don't have this capability on an internal server. Tho these days, these
> should be few and far between.
Just watch this space - it is on my work list....
-- It is easy-peasy to provide a cert interface, but using the openssl(8)
command which adds almost 1 meg to the m0n0 base (IMHO not acceptable).
-- To get the functions without the fat, use the OpenSSL PHP function library.
This does all the basic stuff we need, but does not handle PKCS#12 which is
high on my 'must have' list. Solution: Add this into the library (I am
playing with this currently).
-- Should m0n0wall be a CA? Not the best deal for a GP firewall, so maybe
this should be a module rather than a standard part of the distro. This is
what I am working on....
This is a fun development area, but this is lots more to do yet before we have
a complete and stable implementation for 1.2 release.