tech I had to deal with during the last weeks

- L2TP/IPSec
- IPSec IKEv1 PSK (with ciphers like PSK_LOLCAT_ROLLINGSUM)
- IKEv1 EAP-MSChapv2
- IKEv2 EAP-TLS (PKI/Certs)
- OpenVPN
- Wireguard

People expect that
- you know each from the top of your head in and out
- they work on every device
- all vendors are compatible with every other vendor
- it's free
- it's instant
- it works flawlessly on every broken, triple NATed, censored network

What I actually prefer: ssh

@jonw That‘s a little Short sighted. :-) May I introduce you to the concept of UDP and many other non TCP protocols as well as latency?

-D is great for many things that sysadmins deal with. It doesn’t solve each and every requirement of securely passing traffic between two points.
Though I *like* to think of ssh actually being a magic bullet. It clearly *is* for many things that *I* need to do. It‘s not for many things others need to do.


Maybe "all" that crap was a little optimistic. But certainly "a lot" of what normal office workers need.

We have a lot of non-technical users at work that access work assets solely through ssh tunnels and..ugh... PuTTY.

But use whatever floats your boat. Me, I do the easiest thing because I'm a lazy sysadmin.

@jonw Then you're lucky with your users. I have some that are not able to launch an application when there is no icon for it on their desktop.
If there's nothing to click on it doesn't exist.

It's not what *I*'d use for *my* stuff. I just need to enable them doing their stuff and SSH tunnels are absolutely not suitable for some of them. They already struggle with the concept of having to *first* connect the VPN, *then* mount the fileserver.

For me SSH is faster and more convenient anytime. :)


It's not luck.

We work backwards. We don't choose a product and then figure out how to secure it.

We choose a secure product and then we train users how to use it. We have utterly non-technical users creating their own SSH key pairs, installing and configuring tunnels in PuTTY, and configuring FoxyProxy or their OS proxy settings to use the tunnel.

I know training users is a ground breaking idea, but it works.

I am not making fun of you with my last comment. I am making fun of the woefully inadequate state of affairs in enterprise security because IT security teams are neutered and not allowed to do their jobs correctly because users refuse to be trained. We don't hire, or we get rid of people like that because they're a risk to the organization.

@jonw I usually don't have the chance to do that selection. I'm currently tasked with making existing, local network only services, available for remote work.
Of course without any time-frame to do any proper planing or available bandwidth.

It's mostly make do with what's there and find a solution that's sufficiently usable as fast as possible.

That also includes user training being shot down by management before you can even breathe. Nothing enterprise, all small/medium businesses.


That sounds terribly depressing to me. Lol.

Hard to do your best work in such an environment.

@jonw The depressing part is that it's terribly common, that infrastructure is undocumented, rotten, outdated and under specced.

Doing some magic to make strange things possible is often challenging but also interesting.
Currently the biggest problem here is severe lack of bandwidth for teleworking.


Yeah, I bet the bandwidth thing is an issue. Also maybe VPN licenses and other ancilliary stuff.

My company has no office so there's no such issues. But I can imagine that's an unforseen headache a lot of offices are facing now.

Many companies are learning that their BCP plans are garbage right now.

@jonw Since all the firewall stuff we are using is OpenSource at least there is no licensing problems with these.

Regarding creative software… well Adobe stuff is a problem. But their CreativeCrap suite is a constant source of terrible licensing issues anyway.

I‘ve been working remotely for over 15y so my stuff is configured for this. My customers, some more than others.

Some stuff is just mostly unusable over a common home internet connection.
Lack of upstream everywhere especially offices.

Sign in to participate in the conversation – a Fediverse instance for & by the Chaos community