[olug] TINC

[Nick Hibma]

> I want to remark that if correctly set up, using TLS authentication with strong
> certificates, CRL checking, and --tls-auth, OpenVPN is very secure.  However,
> it is also possible to just use a static key, in which case I would say that it
> is much less secure than many other VPN solutions. So be careful.

The biggest issue with any security solution is defaults. Most users assume that defaults are good enough and leave them as is. In production environments people are usually billed by the hour, so no time to learn, just do. PSK is the quick-fix to be able to label a connection as 'IPSec'. Problem solved, onto the next one.

> Tinc's strength is the fact that it automatically creates a full mesh network
> between an arbitrary number of peers, while only specifying a handful of
> (initial) connections between peers. This is very difficult to reproduce with
> OpenVPN or IPsec in tunnel mode.

There is one BIG difference between OpenVPN that I've not seen mentioned here: configuration. OpenVPN is a bitch to get right in automated environments (with automated I mean: generate the openvpn configuration on the fly during boot).

With tinc it was trivial and fun to set up a multi-tunnelling solution. It fits into the UNIX philosophy of a toolbox with many small tools. tinc sits between two tap interfaces, and provides _hooks_ to do your local configuration and provides examples how to do this. OpenVPN pushes the configuration statements from the server to the client. Guess which one can be moved from FreeBSD to Linux in then minutes.

That being said: openvpn has clicker-di-click interfaces which is much more appropriate to end-user environments of course, which tinc does not have as far as I know (or care).

Tinc is very well suited to non-end-user situations.


And of course there is the _excellent_ support of the author who actually knows what he is talking about.

Nick