[09:32] <rmg51> Morning
[12:07] <teddy-dbear> Morning peoples, critters and everything else
[16:56] <ChinnoDog> Why does setting up OpenVPN server take so many steps?
[16:56] <ChinnoDog> Is there no way to set it up with a couple commands?
[16:59] <ChinnoDog> One of the great things about Ubuntu packages is that they provide more defaults than the software they contain would have if you downloaded it and installed it the conventional way. OpenVPN should have a default configuration that just works.
[17:02] <jthan> ChinnoDog: which distro?
[17:03] <ChinnoDog> Ubuntu
[17:03] <ChinnoDog> 14.04
[17:03] <r00t^2> ChinnoDog: it takes so many steps because it's so flexible. if you're looking for clicky-clicky high-resource bullshit, use openvpn_as
[17:10] <jedijf> lol
[17:10] <jedijf> mommy, why is security difficult?
[17:12] <ChinnoDog> It isn't difficult, it is needlessly difficult.
[17:12] <ChinnoDog> If it is just complex then I expect to work it out. If there is an opportunity to make things easier then they should be.
[17:13] <jedijf> well, that was provided too, openvpn-as
[17:13] <r00t^2> s/-/_/ ;)
[17:14] <jedijf> shift_fail
[17:14] <r00t^2> ChinnoDog: a.k.a. the thing they try to shill on you *when you go to the openvpn.net homepage*
[17:14] <r00t^2> really, it only seems like so many steps because the documentation/howto for the community versions so expansive
[17:15] <r00t^2> it's only like, 6 or 7 steps.
[17:15] <jedijf> yeah, and i don't recall it being overly cumbersome either
[17:15] <r00t^2> and that's assuming you're using the extra security features like diffie-hellman
[17:15] <jedijf> http://jedijf.blogspot.com/2012/04/openvpn.html
[17:16] <jedijf> obviously somne thing may have changed along with the date/year
[17:16] <r00t^2> there ya go. i mean, if *jthan* can set it up....
[17:17] <r00t^2> jedijf: nah, still the same, only thing that's really changed over the past five? years is an optional new way of defining the listening port/proto/interface and at some point they made the default cipher to be bowfish-cbc
[17:17] <r00t^2> s/bow/blow/
[17:18] <jthan> ChinnoDog: It's really not bad, is true... Just take the sample config and modify it, start service
[19:38] <ChinnoDog> I tried openvpn_as didn't work. The irony. I configured the standard one by hand and successfully connected to it.
[19:38] <jthan> ChinnoDog: that's simplicity that you previously called complexity ;-)
[19:40] <ChinnoDog> I know. And, it took forever.
[19:46] <ChinnoDog> I should make a PPA with an instant-openvpn package that configures it for you.
[19:50] <jthan> Lol why did it take forever?!
[20:14] <ChinnoDog> Because there were so many steps
[20:52] <jthan> NOooo
[21:44] <r00t^2> ChinnoDog: no you shouldn't, because shared keys is how people get compromised
[22:57] <ChinnoDog> r00t^2: New keys can be generated as part of setup.
[22:58] <r00t^2> and what about subnet? interface? port? protocol? cipher to use?
[22:59] <r00t^2> also, for a 4096 bit DH key, it takes more than a couple minutes to generate on average and clean hardware/ENV. you're really going to make users wait that long at a hanging apt-get prompt while you gen that?
[23:00] <r00t^2> i'm just saying, if this was a good idea, then linux installers would have had root gen a private ssh key on installation years ago. :P
[23:04] <ChinnoDog> Just because it isn't done yet doesn't mean it is a bad idea. It does take some time to generate the key but there are also post install hooks that could be good for that.
[23:07] <r00t^2> "not done yet"? you're arguing against not some "new and revolutionary idea" but something that's been *avoided* for more than 20 years.
[23:09] <r00t^2> err, arguing for, rather
[23:41] <ChinnoDog> I can find no evidence anyone has been avoiding it. I think it simply hasn't been done yet because no one has seen it fit to take their time to do it. In any case, I would never assume something that has not been done has been left undone intentionally. Especially with open source anything.