A friend of mine installed VPN on our LAMP development server. Previously, we just used SSH and sometimes SSH public keys to avoid password prompts. My question is, what is the advantage of using VPN over just using SSH public keys? What new features can I take advantage of? Why might VPN be necessary?
Asked
Active
Viewed 2,670 times
4 Answers
5
"Virtual Private LAN" opposed to "Virtual Private Port Forwarding"
Mostly just conveniences. The whole LAN that you are VPN'd to could be available to you, transparently, opposed to just having a shell and services forwarded via ports.
Tim
- 3,017
- 17
- 15
3
If you're using VPN to gain access to one machine it really comes down to how lazy do you want to be? About the only advantage a VPN gives you is the need to not use port forwarding or SOCKS proxy over SSH. This can be advantageous for things like FTP, or UDP applications (such as DNS). In addition if you're going to SSH over your VPN link to one host it's a small waste of resources. Bottom line, it can make some things easier to get access to, and you can now test some services easier (such as DNS), but if it's just one host, you don't really gain anything useful.
If on the other hand you had a few systems/devices on the other end of the VPN then it can be advantageous as you will be able to ssh directly to your hosts without the need to bounce through a jump-box or set up inbound ssh port forwards. In addition if your VPN tunnel is always up and can be routed to on both ends it can be useful for performing remote backups of your data.
Red Tux
- 2,074
- 13
- 14
1
Wat kind of environment are you supporting?
Are you simply connecting one service or workstation from a single location to another location? If so, an SSH tunnel that you turn on and off as needed is fine.
Are you connecting entire subnets together between offices?
In that case, use a full-on VPN solution. Sure, you CAN use SSH tunneling and all sorts of custom hacking to create a VPN solution using nothing but SSH and other system tools, but your successor is going to have a devil of a time supporting it and probably throw it out in favor of Cisco or OpenVPN.
It really is about most efficient use of your time as a sysadmin, and packaged solutions are frequently much cheaper considering the opportunity cost of burning up sysadmin time hacking custom solutions together.
One MIGHT argue that SSH tunnels are the simplest possible solution until one looks at all the pieces necessary to make the connections, but simplest also means simplest to support and maintain over the life of the deployment.
At risk of being repetitive, I highly recommend this book for new sysadmins: The Practice of System and Network Administration. http://www.amazon.com/Practice-System-Network-Administration/dp/0201702711
Magellan
- 4,451
- 3
- 30
- 53
0
Through VPN, you can access both your local network(corp/home) and remote network(devlopment net) simultaneously, whereas when you SSH to some server, you pretty much on remote network.
VPN is one of the alternatives, when your development servers are on a separate network and there are no routes to access it from main/corp network.
Prashanth Sundaram
- 451
- 4
- 10