Posted by: Anonymous
on April 15, 2008 03:35 AM
I would agree that OpenVPN is a better choice than tinc (on security grounds alone). As IPsec vs OpenVPN, there are two perceived advantages that OpenVPN has: (1) its author has put a lot off effort into documentation and making the simple things actually simple (2) it creates a routable interface so if you want to you can do things like running OSPF over the VPN and/or create route based redundant tunnels. The first advantage is true when comparing with Linux or FreeBSD IPsec, the FreeBSD IPsec documentation still talks about gif interfaces! The situation in OpenBSD is much better, it has a much simpler way of setting up a VPN -- you can still do all the fancy things if you want but you don't have to do them, which is the problem with Linux/FreeBSD IPsec configuration. The second advantage is nothing to do with IPsec per se (there are plenty of IPsec vendors that provide an routable interface if you are willing to buy their product) and everything to do with the people who implemented IPsec under Linux/BSD being unwilling or unable to see the benefits of a routable interface (OpenBSD appears to at least be showing some interest). Thus while not an OpenVPN advantage against IPsec in general, it is an advantage compared to existing Linux/BSD implementations. A disadvantage of OpenVPN is scalability, but then it is unlikely that your average OpenVPN user needs to connect say 600 sites in a hub&spoke which is a common IPsec scenario, and so casual OpenVPN users aren't going to care.
BTW If ease of configuration is the primary measure then the simplest VPN to setup is probably Hamachi.