[PLUG] OpenVPN BOF meeting?

[Keith Lofstrom]

On Wed, Dec 03, 2008 at 02:23:20PM -0800, Paul Heinlein wrote:

> The easy-rsa scripts that ship with OpenVPN are a good start for 
> certificate generation and maintenance, but they're not really a 
> substitute for a general understanding of public key infrastructures.

This is the hardest part of OpenVPN for me.  If the keying
scripts don't work right (and I could not get them to work
for the topologies I wanted, where some machines are both
clients and servers) then the user must learn more than they
might want to about the underlying processes.  What bothers
me most is that I don't know enough to be confident that I
have done key creation correctly and created secure links.

Part of what makes this hard is that we normally think about
moving information, not about restricting it, and the whole
VPN/SSL process is about protecting information from unwanted
release.  In the real world, there are resourceful psychopaths
that want to hurt me for sport, and we design encrypted VPN
tunnels to hide from them.  That is quite unpleasant and
depressing to think about.

Software designers use surprisingly little design automation
- a Software CAD tool that designs and deploys certificate
and keying systems for arbitrary topologies would be an
obvious tool that would hide the complexity of this process
from overworked or part-time sysadmins.  A pretty good
"beta" version of such a tool would be a decent master's
project for a CS student, and might lead to a great job.

I am changing my firewall from an old laptop to an ALIX single
board computer running OpenWRT, and rebuilding my OpenVPN tunnels
around that.  I will probably be generating new certificates and
keys for all the machines that talk to the firewall because of 
that, so this is an opportunity for me to do OpenVPN "right".

Suggested solution - an OpenVPN BOF meeting

It might be useful to arrange a meeting of people with similar
OpenVPN needs and learn to do this together.  I've got Verizon
FIOS connectivity, an offsite server, and other bits and pieces
here at my Beaverton home office that we could use as a meeting
place.  Before I shut down my old system, other folks can look
at config files and log files with me, and see how I've got it
working now.  Perhaps we set up two nearby meeting places, and
create tunnels between them (I might talk my neighbor into it). 
Or somebody else can design some test systems that run across
my internal network.  Or even do it with a couple of VMWare
instances.   Sadly, I don't have the skill to make one of
these internal setups for experimentation and demonstration,
or the time to organize yet another meeting.  

If somebody else volunteers to arrange a time and gather people
and hector them into reading (if not understanding) the OpenVPN
documentation, perhaps we can set something up.  If smart guys
like Paul want to stop by and help, that would be most welcome.

Keith

-- 
Keith Lofstrom          keithl at keithl.com         Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs