Hacker News new | ask | show | jobs
by jlund 3742 days ago
I'm planning on implementing IKEv2 support in Streisand soon. I wanted to get OpenConnect/AnyConnect implemented first. I had not heard of OpenIKED until your comment, and I got really excited, but it looks like the portable version for Linux has been deprecated? If that's the case, it is really unfortunate; I love OpenBSD and their security track record.

I will likely use Libreswan for both L2TP/IPsec and IKEv2, and give the user a choice between those options at installation. L2TP/IPsec support is still a little more ubiquitous, but IKEv2 will be set up by default. It's a much better protocol with significantly less legacy baggage.

Your comments on Tor are thought-provoking too. I can look into making that optional as well, either through a prompt or command-line flag.

Thanks for the feedback! Let me know if you have any other suggestions.
1 comments
dguido 3742 days ago
Thanks, that would be great! Yes, I would very much like to see options to strip down Streisand. I'm not worried about getting my packets filtered by the Great Firewall. I'd rather have the minimum number of agents necessary: IKEv2, SSH, and maybe stunnel. I consider every additional agent to add risk of compromise to the entire setup.

Sidenote: Ubuntu's security posture appears slightly better than Debian's, but I'm a little vague on the details. Historically, Ubuntu has had people like Kees Cook working on security of their distro and relentless pursued AppArmor policies, adoption of exploit mitigations, and reducing the footprint of the default install. Any way you can make it more distro-agnostic so I could run the installers on Ubuntu instead would be appreciated!

Btw, I didn't notice that portable OpenIKED was deprecated :-(.

link
jlund 3742 days ago
Yeah, I will probably make it possible to choose the list of services instead of singling out Tor specifically. I have heard from some users who only want to run Shadowsocks, for example. The diversity of services really helps keep things flowing in restrictive environments. Not everyone falls into that category though.

Good news! Your Ubuntu dreams are already a reality. The playbooks are currently designed for Ubuntu 14.04. I was using Debian 7 at launch (which might be what you saw previously) but I switched the base distribution late last year. Ubuntu 16.04 is the frontrunner for the next upgrade. The playbooks and roles are complicated enough that it's not terribly practical to target multiple distros, especially given the wide support that Ubuntu enjoys.

link