[lug] Hosting Question

Bear Giles bgiles at coyotesong.com
Sat Sep 30 17:20:21 MDT 2006

dio2002 at indra.com wrote:
> Any thoughts on securing rysync over the public nw?
> Or maybe there is another nw backup method/service i could/should be using
> other than rsync?
I'm becoming a fan of OpenVPN instead of SSH tunnels.  Several reasons:

1) you don't have TCP-over-TCP issues when there's packet loss.  OpenVPN 
uses the OpenSSL library but manages to run it over UDP instead of TCP.  
Someone even said it's basically a variant of IPSEC, although I don't 
know enough to know if that's a fair characterization.

2) you don't have to figure out how to set up quasi-static connections 
for port forwarding.  VPNs are just there.

3) you don't have to provide public root access to the services.   In 
many cases you can bind to the VPN address alone. In other cases you can 
run two instances -- one with root access on the VPN, the second without 
root access on the public IP address.

4) firewall rules can be greatly simplified since you move some services 
entirely onto the VPN.  (Unrestricted VPN access can be provided with a 
single line in the iptables configuration file.)  E.g., your mail server 
must be public, but there's no reason for the POP/IMAP server to be.

Finally, there are security issues that you'll run into when people 
start using SSH forwards to get past firewalls.  The problem isn't the 
port forwarding per se, it's that the connections are open to everyone 
once they've been established.  Suddenly people can get access far 
beyond what they could get through VPNs.

More information about the LUG mailing list