I setup my email account (imap/smtp) with tls and found it to be quite laggy, which I found irritating (but usable, just had to be patient).
I need to be able to ssh to my server, and being paranoid I can only do that through a vpn tunnel (openvpn).
I installed it from extras-devel and found it to be painless, just copied my config from my laptop across installed it into /etc/openvpn and to my surprise it worked first time, and I haven't had any battery drain or stability problems (any way I can help push this into extras?)

But then I thought as seen as it was so easy to setup, no stability issues and no noticeable drain on the battery, I'd keep it on and change my email to use the local address and not use tls for encryption.

Email application is now virtually instant response, so I'd recommend anyone to try this method if they can.
I'm not sure whether it's the tls in modest being crappy, or whether using openvpn with compression is making the difference - and pumping my username/password on the internet in plain text to see which one it is, isn't my idea of fun.

I also tried the same with my work email. We don't have activesync connections open to Internet, but with openvpn and MailForExchange it's possible to do the trick. I'm under impression that the GUI for openvpn isn't usable yet, so next thing would be doing something like this to make opening connection faster (sry forum is Finnish, but you'll get the point).

gui for me was easy to use, but you have to install gainroot thingi.
Copy configs to SD card on N900, then open terminal
"sudo gainroot" then "cp /media/mmc1/openvpn/* /etc/openvpn/"

Then you can select the config file from the gui, and it works fine.
Agreed not ideal, but works well.

If you are *truly* paranoid, how do you see OpenVPN (x509 PKI) being a secure means for creating a tunnel?

SSH (RSA) on a non-standard port with a firewall ACL makes more sense.

Anyone care to share a working openvpn config client and server for this? Last I tried I couldn't get any routing through and since ther is no nat support I wasn't able to mess with that as a workaround as well.

Much appreciated.

p.s. It's been ages since I messed with openvpn and I hardly have a need for it so I'd rather avoid relearning everything if I can.

If you are talking about openvpn-applet, you can import the configuration through gui.

I can't make this app work(openVPN). I've installed it thorugh the application manager, and now what?

What are you expecting to do with it? You could install OpenVPN Applet too

I suggest starting at http://openvpn.net/index.php/open-so...mentation.html , probably starting with the HOWTO.

Ok Wait... what? (slight thread hi-jack).

RSA is a public-key cryptography... x.509 is a public-key infrastructure. They are completely different.

x.509 includes RSA encryption (or can, it can also include others) when generating the certificates. The certificates are controlled via Certificate Authorities (CA's).

Both OpenVPN and SSH use SSL.

Now, x.509 (thus OpenVPN) is usually harder to implement than OpenSSH key-pairs but could you provide me documentation that actually says the using OpenVPN with keys is less secure than using SSH with keys?

I would find that result highly suspect. Typically the two things are used for different purposes - SSH is used for single machines to connect to remote machines and control them. It has the ability to forward certain ports, or create SOCKS tunnels which are the most common. And yes, since OpenSSH 4.3 it also has the ability to create "on-the-fly" VPN tunnels using tun - exactly like a: VPN, however more uncommon.

VPN's are mostly used to connect single, or many machines to not only the remote computer, but the entire network behind that computer as well - and very commonly: to route all local traffic through the tunnel. IF you want to be able to access your personal desktop computers files from a "road warrior" laptop/phone/whatever and you have a firewall sitting on your perimeter blocking all access to your internal LAN.. VPN is the way to do it (IMHO).

I don't see how forwarding a port directly to my internal desktop is any more secure than establishing a tunnel to my firewall, and from my firewall accessing my internal desktop.

At a cryptographic level.. they are using identical algorithms.

In the OP he mentions using SSH, over OpenVPN. So an encrypted tunnel, over an encrypted tunnel. In theory this definitely provides better security. Even if, hypothetically, the VPN tunnel is compromised the SSH is not. However, in reality - this is likely truly unnecessary. The chances of someone cracking just the SSH session OR the VPN session are slim to nil.

Granted, the software implementing SSH or a VPN can and will be susceptible to exploits.