Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vpnc: update version and add nossl variant #25603

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

jschwartzenberg
Copy link

Maintainer: @danielg4
Compile tested: (mipsel_24kc_musl, TP-Link Archer C50v6, f10ee1e20966bdb86cb61a87338f953de1d86cc6)
Run tested: ((mipsel_24kc_musl, TP-Link Archer C50v6, 24.10-rc2, I tested the original version without ssl and it works, I still need to test this new version but am looking for feedback)

Description:
Updated vpnc to the latest version. I submitted a patch that allows compilation without an SSL library. When using a pre-shared group key, vpnc doesn't use its SSL library, so for many cases this is not needed while it allows vpnc to be used on devices with little space where an SSL library does not fit. See also: streambinder/vpnc#55

Note that I still need to test the newer version and will report back. Many thanks in advance for any feedback you might have!

@BKPepe
Copy link
Member

BKPepe commented Dec 23, 2024

I noticed you've added a non-SSL version. We want to ensure we fully understand all potential use-case scenarios. Could you please share more information about the situations where this version would be used? This will help us ensure we're providing the best possible solution for all our users. May I know what is the size diference between SSL and nonSSL variant? We recommend using SSL/TLS, because of the security, which is top priority for us.

@jschwartzenberg
Copy link
Author

Could you please share more information about the situations where this version would be used?

vpnc supports VPN connections either with SSL certificates or using a private pre-shared group key. In case the nonSSL variant is used to connect to an endpoint that relies on certificates, it will bail out, no connection will be established. In the second case with the pre-shared key, the whole SSL library is not involved with the connection setup, so it doesn't matter whether you use an SSL or nonSSL build.

So the nossl version can only be used for scenarios which work with the pre-shared group key. I use it to connect to a Fritzbox.

May I know what is the size diference between SSL and nonSSL variant?

The SSL variant pulls in GNUTLS, which takes up more space than I have free on my TP-Link Archer C50. On my Turris Omnia I have more than enough space, but on the Archer C50 there's about a 3.5" floppy worth of space left after installing plain OpenWRT and by avoiding the SSL dependency I can still establish a VPN connection with vpnc :)

We recommend using SSL/TLS, because of the security, which is top priority for us.

In this case there's no security impact as these are independent connection mechanisms. If the endpoint requires SSL/TLS, you must use the SSL/TLS version. If the endpoint uses a pre-shared group key, you can use either version, but the SSL/TLS part will never be used.

Please let me know if I should provide more info! Many thanks for the quick response!

Signed-off-by: Julius Schwartzenberg <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants