Search This Blog

Tuesday, February 14, 2012

Re: How to setup OpenVPN?

Sorry, forgot to reply to the list.

> > What are your goals? Would you like to have IP6 connectivity to just
> > your VServer, or to the IP6 Internet? Do you want the servers in your home
> > network reachable from the IP6 Internet?
>
> I like to have the Servers reachable from the IPV6 internet

Then it would be inefficient to route all packets through your vserver
first. A tunnel broker will presumably have better IP6 connectivity and be
reachable in fewer hops.

> > I'd say it would be most beneficial for you to just enable IP6 in your
> > home network by connecting to a tunnel broker, or by using 6to4. Then you
> > can connect to all IP6 hosts, including your vserver. And those hosts can
> > connect to your home-servers, depending on your firewall rules, of course.
>
> I have a /64 IPv6 range registered @RIPE and do not want to pass my
> private connections over a broker which I do not know and trust.

With private connections you mean connections between your servers at home
and your vserver? That would be the classic use case for a VPN, of course.
If you mean connections between your home servers and other hosts, then
routing through your vserver won't help, assuming you trust or distrust all
network operators equally. If you specifically distrust the ISP connecting
your home network then again tunneling everything over your
vserver will help.

> > The rationale for IP6 was to create another unlimited address space, like
> > IP4 was years ago. Getting an IP6 prefix for your home network is easy.
> > There's no need to recycle what you got for your vserver.
>
> How can I get native IPv6 on my home connection?

Ask your ISP. If they don't want to help you, you won't have native IP6
unless you change your ISP. You don't need native IP6 to have your servers
reachable by IP6, even though native would be the preferred option.

> If I must use a broker, I can use my own IPv6 network onmy server too.

When your vserver goes down, your servers at home will not be reachable
either. A tunnel to a network operator is likely a lot more reliable than
one to your vserver.


> > The only reason to do it this way would be if you wanted to have a secure
> > channel between your home servers and your vserver. I don't know enough
> > about OpenVPN to give you specific advice on this.
> >
> > Still, it would be simpler to use a different IP6 prefix for your
> > home servers, instead of subnetting within your vserver's prefix.
>
> MAYBE, but I prepare my own enterprise which will be multihomed and I have
> to learn, how to use VPN, IPSec and to route between IPv6 subnets.

If the goal is to learn, then my considerations are not all that relevant.
Now, unfortunately I don't know enough about OpenVPN to be of any help
in answering the original question.


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120214155519.GA1898@lia.ch

No comments: