[plug] VPNs

Craig Ringer craig at postnewspapers.com.au
Thu Aug 5 23:27:47 WST 2004


chris wrote:
> I seem to remember you talking about using IPv6 for a VPN. What is the
> advantage of this again and what does it involve?

Main advantage: for me, in my situation, it's convenient and works well. 
It's likely that many will not find this to be the case.

I find IPv6, in combination with SSH, very nice for quick, basic VPN 
functionality. It just makes it easy to make a direct connection from 
host A to host B where:


        [A]------------------GW1
    192.168.1.1          [inet-ip-1]
                              |
                              |
                              |
                              |
        [B]                  GW2
    192.168.1.1----------[inet-ip-2]

In other words, you can make a direct connection between two NATed hosts 
that may even have the SAME IPv4 address (no horrors with trying to 
resolve conflicting address space choices) and be on different networks. 
You don't even have to care whether or not NAT is involved.

It's the difference between
	ssh somehost
and
	ssh -Nnf -L 2222:somehost-internal-address:22
	ssh -p 2222 localhost
	# now we do battle with host keys, because ssh doesn't store
	# the port number in the known-hosts
for some types of task.

I use this all the time to do things like let my laptop use work's mail 
services no matter where I go. Evolution 1.4 is too braindead to use 
client certificates it seems :-( otherwise I'd be using that approach 
instead. It's also great for admin - I can 'ssh bucket6' from my laptop, 
and get there directly with no fuss or manual hops through gateway hosts 
- without even having to think about what network I'm plugged into.

I use 6to4, so no support from an upstream provider is required so long 
as the host you want to be the 6to4 gateway has a world-reachable IPv4 
address. For me, this works well, as I'm the / an admin of every network 
I use reguarly. For others who don't work on IPv6 enabled networks 
reguarly it may not work so well.

I'm looking into setting up an IPv6 IPSec full VPN later, but need to 
proceed cautiously. I've had a little luck with tests, but nothing I'm 
willing to use reguarly yet, and I'm not too sure it's worth it yet. The 
attraction of ssh-over-ipv6 is that it's simple, works well, and works 
even if the services you're forwarding are ipv4 only.

--
Craig Ringer




More information about the plug mailing list