So jhabib's weblog about ssl-explorer has me thinking.

Currently I'm looking at alternatives to hardware VPN appliances - they're expensive and I don't like waiting for firmware upgrades after something is posted to bugtraq. And sometimes it's just too difficult to get them to talk to *nix boxes - setting up Microsoft mppe on a Debian box just seems pointless when there are so many better alternatives.

OpenVPN is nice - it is very easy to install and set up on Debian, but I also have to support a lot of Windows desktops (or laptops in this case) and OpenVPN seems a little rough around the edges here. Maybe I just haven't looked around enough. (I'm sure it can be scripted so that the user just double-clicks a batch file to connect or disconnect.) You also have to build key pairs for every client. OpenVPN is simple and easy to understand. One encrypted tunnel, and that's all it does. So if you want to ssh to a *nix box or have a windows client log on to an AD server, just send the traffic through the tunnel. Let iptables on the OpenVPN server route the packets, or drop them as the case may be.

On the other hand, there's this ssl-explorer tool. I can pop it onto a virtual Debian box and people can browse through 443. No key pairs, just the SSL certificate on the server. On the network, sort of like OpenVPN, as only one port is open (although it's TCP, not UDP, and on a well-known port). But it seems like there's a lot going on with the interface - shares mapped via Java, ssl-explorer assigned permissions.... Hmm. I'm not sure about the middleman aspect. It is so complicated it seems like there are plenty of spots for holes to appear.

What do you think? What's a convenient, secure, cross-platform (for non-geek Windows users) remote access technology?