|
|
James Yonan wrote:
In general, crypto accelerators focus on symmetric encryption (AES or
Triple-DES), secure hashes (SHA-x), and random number generation. This
will accelerate the encrypted "conversation" that occurs after initial
authentication, but not necessarily the authentication process itself.
OpenVPN can take advantage of all of these features in both SSL/TLS and
static key mode, as long as the crypto accelerator is supported by
OpenSSL (OpenSSL has a plugin capability where drivers for different
crypto accelerators can be supplied as shared objects).
Thanks. So OpenVPN will benefit from hardware encryption with static
keys on connection setup where it will not benefit when using PKI.
My servers cost much less than E600, but then I have to pay for them
myself. Still, as long as you don't have hunderds of users (I have 5) you
can provide professional quality service. Only the Internet link will
remain a SPOF, the rest will be redundant before long.
Speaking of redundancy in the internet connection, the new multi-homed
patch for 2.0 that was discussed recently on the list will let you do
something like host two redundant OpenVPN servers, and have each server be
multihomed to two separate ISPs.
That would eliminate both the OpenVPN server machine and the internet
connection from the set of server-side SPOFs.
I''m thinking of going one better. I probably can get a set of IPs from
a /24 (one would be enough for OpenVPN but I need more for other
reasons). Use RIP or OSPF and IPIP to tunnel that to home over two
consumer DSL connections. That way the IPs I get from the /24 are always
routed to my home. I'll use linux-ha to make stuff fail-over, so my
incoming connections always get routed to a live box. I'll probably run
into mtu issues, but I'll tackle that as it occurs. I already have ran
with an artificially lowered mtu some time ago to investigate pmtu
blackholes, so I know what I'm up against, I just still don't completely
understand OpenVPN combined with LZO compression and fragmentation.
What happens when I send full size packets over a VPN link? Does
fragmentation happen and when? Maybe there is something worthwhile to be
said about this on the site?
Now to find time to set it up..... :-(
M4
|