Hacker News new | ask | show | jobs
by terrywang 3408 days ago
OpenVPN is SSL VPN, relatively easy to setup, it operates in transport layer. strongSwan (IPsec) works in layer 3.

To properly install and configure strongSwan, following the tutorials available over the Nnternet is not enough. One needs to have basic networking knowledge (NAT, iptables in particular), good understanding of IPsec protocol suite (including IKE, AH, ESP), PKI, Linux skills and etc.

This is a good reference but still needs the knowledge mentioned above to get it to work: https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.h...
1 comments
MichaelGG 3408 days ago
OpenVPN isn't really an SSL VPN. In one of the major modes (preshared key), TLS isn't used at all. In client-server mode, TLS is only used for session negotiation (keys, options, user/pass) and the rest goes over their own protocol and doesn't use TLS at all. And even then it isn't TLS over TCP directly, but TLS over OpenVPN's own protocol.

For whatever reason, OpenVPN is way easier to get up and running. Little knowledge required. UDP overhead is minimal.

t. Recently implemented an OpenVPN client from scratch.

link
terrywang 3407 days ago
Thanks for pointing out, good insight. Haven't really done a deep dive for OpenVPN as strongSwan works perfectly fine for pretty much all my use cases.

However, strongSwan (IPsec) is easy to block (e.g. if detected by big brother - GFW in China) as by default is uses UDP ports 500, 4500, while OpenVPN can easily disguise as SSL/TLS or anything. In that sense, OpenVPN can be a backup for IPsec for remote access (fighting censorship).

link
MichaelGG 3407 days ago
OpenVPN cannot disguise as SSL/TLS - every packet has an OpenVPN header, so it won't look like, say, an HTTPS connection. And the data packets do not use TLS at all. It would not take much effort at all to detect that a stream is using OpenVPN. Every data packet will start with the same few bits regardless of encryption options used. And the start of a new session has a recognizable sequence of initial bytes, again, regardless of the options used.

Whether or not firewalls are doing enough DPI to figure this out is another question.

link