[falcolas]

I've seen this implemented quite usefully in a corporate environment and for container-container communication; but attempting to set it up for my personal use was an absolute disaster. A bit over a week spent trying to make it work, and it never did.

OpenVPN worked just fine, but I could never make StrongSwan work at all. Which is a shame, I really wanted to have an easy-to-use VPN for my phone and so forth. Settled on OpenVPN, which worked well enough with the iOS clients.

[terrywang]

OpenVPN is SSL VPN, relatively easy to setup, it operates in transport layer. strongSwan (IPsec) works in layer 3.

To properly install and configure strongSwan, following the tutorials available over the Nnternet is not enough. One needs to have basic networking knowledge (NAT, iptables in particular), good understanding of IPsec protocol suite (including IKE, AH, ESP), PKI, Linux skills and etc.

This is a good reference but still needs the knowledge mentioned above to get it to work: https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.h...

[MichaelGG]

OpenVPN isn't really an SSL VPN. In one of the major modes (preshared key), TLS isn't used at all. In client-server mode, TLS is only used for session negotiation (keys, options, user/pass) and the rest goes over their own protocol and doesn't use TLS at all. And even then it isn't TLS over TCP directly, but TLS over OpenVPN's own protocol.

For whatever reason, OpenVPN is way easier to get up and running. Little knowledge required. UDP overhead is minimal.

t. Recently implemented an OpenVPN client from scratch.

[terrywang]

Thanks for pointing out, good insight. Haven't really done a deep dive for OpenVPN as strongSwan works perfectly fine for pretty much all my use cases.

However, strongSwan (IPsec) is easy to block (e.g. if detected by big brother - GFW in China) as by default is uses UDP ports 500, 4500, while OpenVPN can easily disguise as SSL/TLS or anything. In that sense, OpenVPN can be a backup for IPsec for remote access (fighting censorship).

[MichaelGG]

OpenVPN cannot disguise as SSL/TLS - every packet has an OpenVPN header, so it won't look like, say, an HTTPS connection. And the data packets do not use TLS at all. It would not take much effort at all to detect that a stream is using OpenVPN. Every data packet will start with the same few bits regardless of encryption options used. And the start of a new session has a recognizable sequence of initial bytes, again, regardless of the options used.

Whether or not firewalls are doing enough DPI to figure this out is another question.

[spaceboy]

> A bit over a week spent trying to make it work, and it never did

I feel your pain. I remember trying to install DNSCrypt[1] on Linux and failing miserably. I was convinced it would work if only I found the right solution online, or if only the right amount of caffeine was in my bloodstream, or if by sheer effort of will I could get it working, but I still failed. I partially got it installed, error messages galore in my terminal, and all my /paths/ were wrong. It was a humbling experience. I quickly uninstalled it as I don't want partially working, broken soft running on my machine.

I guess for this situation a decent OpenVPN client would be ideal like Viscosity[2]

[1] https://www.dnscrypt.org/

[2] https://www.sparklabs.com/viscosity/

[sedachv]

I also could not get an IPSec VPN running on Debian in 2012 (I think it was FreeSWAN), while OpenVPN was no problem. I am planning to run a VPS for VPN and email again and this time looking to do all the setup with Ansible. Two roles came up for StrongSwan when searching: https://github.com/agdsn/ansible-strongswan-server https://github.com/jonathanio/ansible-role-strongswan Not sure how much those help with actual VPN configuation. Anyone have any experience with this?