OpenVPN

[GamerAyers]

Since I use my Linuxmce server as my main router, I would like to ability to not only add a wireless card for wireless router support along with the wired network, but also have VPN access.  OpenVPN allows for easy SSL access for a VPN.  Any chance this can be incorporated without much difficulty.  Thanks.

[richard.e.morton]

I would like to see attack data for LinuxMCe before exposing the external LAN port to the internet. However, if LinuxMCE is up to the job I would like to use it also in this way and have both a VPN a DMX and as IPCop calls it a blue channel (Wireless channel - i.e. 4 LAN cards - Red, Green, Yellow and Blue) in the box.

For me this is immaterial as I still plan to put a firewall on the perimeter... at least for now.

R

[los93sol]

you want smoothwall

[los93sol]

Actually thinking about this, yea, I'd also love it if smoothwall was part of LinuxMCE, it would probably ease a lot of people's minds about exposing this box to the internet as smoothwall has recently won an award for best open source network firewall.  It shouldn't effect anything else that your LMCE box does in any kind of a noticeable way because it runs on very minimalistic hardware.  I think it's a great idea, but I have no idea how much would be involved to integrate it with LMCE

[richard.e.morton]

Smoothwall forked a while back and there is IPCop as well, if this was on the cards both could be evaluated

[Monkgs]

Hrm. The point of distributions like smoothwall, m0n0wall and ipcop is that all the extra kernel and userspace features are ripped out, leaving a significantly smaller attack surface. Furthermore, the remaining software is configured in a secure fashion and chroot jailed when applicable.

It would be impossible to integrate these principles in LinuxMCE because LinuxMCE is designed to work with as many devices as possible, which is the complete opposite of smoothwall and ipcop. Comparatively, due to the number of services LinuxMCE runs, it will NEVER be a good choice for a firewall (from a security standpoint).

However, a strong ruleset on LinuxMCE should be more than enough security for anyone not wearing a tinfoil hat. Ultimately a strong iptables ruleset, that opens no services to the external world will be as secure as any other Linux firewall. The real advantage to distributions like smoothwall is that you don't have to be a linux guru to configure the ruleset in a secure fashion.

As for openvpn, build it yourself or install a binary package. There's no reason why it needs any sort of special integration.

[GamerAyers]

I am definately not, by any means, a Linux Guru.  So maybe it is something I missed.  I had installed OpenSwan and I have a set of sonicwall using IPsec.  I was able to setup the OpenSwan for connection to the sonicwall and was even able to open the Sonicwall website and saw that something was connected.  Unfortunately, I was never able to even ping devices inside from the LinuxMCE server where OpenSwan resided.  I was wondering if there was a routing table that LinuxMCE used that I was missing.  That is the only reason I was looking for an OpenVPN/OpenSwan implementation in linuxMCE(plus with it implemented directly into LinuxMCE you could have a part of the website for setting up all the settings making it easy for the average VPN user not just Linux user).

[Monkgs]

LinuxMCE uses the standard routing tables (viewable by: cat /etc/iproute2/rt_tables). Your problem is definitely a configuration issue, which may be better answered by someone familiar with OpenSwan.

With regards to integration with LinuxMCE, I personally don't think it's a good idea. The more bloated LinuxMCE becomes, the harder it is to maintain. How many people need auto-configure openvpn support? Anyone who actually uses it will likely need to configure it manually anyway.

For now, is it really too much work to "apt-get install openvpn"?

[Enigmus]

That seems to defeat the purpose.  Why have LinuxMCE at all if it isn't an all encompassing solution?  Why not just setup a website that tells us all how to setup every piece of software currently individually to create what LinuxMCE is? These are not really good reasons for leaving a package out of a system like this. 

The team should be working on merging new features and software into the system in an easy to manage fashion.  After all, each individual software package is managed by a a completely different software team.  MythTV, for instance, is managed by a completely different project team, and therefore the LinuxMCE does not have to update the actual software.  The same would be true of OpenVPN.

However, there are valid reason for not adding it.  There may not be a demand for it's incorporation.  It doesn't fit the functionality set of LinuxMCE.  There is a better option.

[Monkgs]

However, there are valid reason for not adding it.  There may not be a demand for it's incorporation.  It doesn't fit the functionality set of LinuxMCE.  There is a better option.

If you're going to disagree with someone, make sure you know what you're disagreeing on. Seems to me that we're in agreement on why it's not a good idea.

How many people need auto-configure openvpn support?

[Enigmus]

With regards to integration with LinuxMCE, I personally don't think it's a good idea. The more bloated LinuxMCE becomes, the harder it is to maintain.

OK, I disagree with this, and the assertion that there was nothing in contention between my statement and yours.

I do agree that there are points at which we are in agreement. 

[Monkgs]

With regards to integration with LinuxMCE, I personally don't think it's a good idea. The more bloated LinuxMCE becomes, the harder it is to maintain.

OK, I disagree with this, and the assertion that there was nothing in contention between my statement and yours.

I do agree that there are points at which we are in agreement. 

Well, your argument goes both ways. It's impossible for a distro to include every conceivable software package. That's certainly not the point of a distribution at all, and definitely not the point of this media center distribution. To remain as light weight as possible software packages which are not core to the purpose of the distribution must be provided in package form. OpenVPN has little to do with media, and as such I see no reason for it to be included as a standard package.

As it is, the code has seen multiple regressions due to an already complex development environment. The absolute last thing we need to be doing right now is jamming in everywhich package we can think of.

[Enigmus]

Agreed, it should not have everything under the Sunday.  However, it should not be adverse to include useful packages.

I am personally not pushing for OpenVPN to be included at this time.  I am also not pushing for OpenVPN to be included specifically.  I am not pushing for VPN to be included at this time, as there are more important features to be added.  However, LinuxMCE is a bit of a misnomer.  It is not just a Media center but rather that and home automation.  Under the home automation banner there is room for vpn connections between sites for security, communication, and joint operations. 

VPN is listed under the Possiblities section on the wiki, for future inclusion. Under features VPN is listed as one of the features, which shows that the developers are looking at it as a feature of some sort (http://wiki.linuxmce.org/index.php/Features).  I see use in using VPN to link to sites together.   I hope that it will included at some point.

[hari]

so we all hope for something :-)

until there is a maintainer willing to integrate it and adapt the webinterface this will not happen...

best regards,
Hari

[Enigmus]

See Hari is all about the VPN.  However, he's all ready committed for multiple things.  Thanks any way Hari.