| 1 |
2018-04-05 1:02 GMT+03:00 Grant Taylor <gtaylor@×××××××××××××××××××××.net>: |
| 2 |
> On 04/04/2018 02:18 PM, gevisz wrote: |
| 3 |
>> |
| 4 |
>> A friend of mine asked me to recommend him an open-source VPN-server for |
| 5 |
>> Linux but unfortunately I never used one. |
| 6 |
> |
| 7 |
> That's a loaded ask. |
| 8 |
|
| 9 |
I just tried to point to the facts that |
| 10 |
1) I know much less about VPNs than I had to before asking such a |
| 11 |
question for myself, |
| 12 |
2) There is a so to say "distributed competence": |
| 13 |
The friend of mine is competent mostly in Windows and is a novice |
| 14 |
in Linux whereas |
| 15 |
I use Linux since the death of MS DOS 6.22 and know almost nothing |
| 16 |
about Windows |
| 17 |
(if I need some help about Windows, I just call to the friend and |
| 18 |
ask where exactly |
| 19 |
I should point and click :). |
| 20 |
|
| 21 |
>> After some googling, I have found OpenVPN but do not know if it is the |
| 22 |
>> best choice that suits his purposes, namely to access local network that |
| 23 |
>> does not have its own fixed IP from the outside. |
| 24 |
> |
| 25 |
> Okay.... |
| 26 |
> |
| 27 |
>> To be more precise: the local network to be accessed to from the outside |
| 28 |
>> is part of another local network. The latter (outer) network has its own |
| 29 |
>> fixed IP but the former (inner) network gets its IP via DHCP. So, it is |
| 30 |
>> impossible to connect to a computer in the inner network from the outside |
| 31 |
>> directly. |
| 32 |
> |
| 33 |
> Is this toplolgy accurate? |
| 34 |
> |
| 35 |
> (Client)---(Internet)---(OR)---(IR)---(Host) |
| 36 |
> |
| 37 |
> I'm guessing that your friend (client) wants to access something (host) on |
| 38 |
> the inner network. But to do so requires passing through the Internet |
| 39 |
> through Outer Router (with a static IP on the outside (left)) and through |
| 40 |
> the Inner Router (which has a dynamic IP on the outside (left) obtained via |
| 41 |
> DHCP)). Is that correct? |
| 42 |
|
| 43 |
Yes. And the Client also has static IP. Moreover, both OR and IR have static |
| 44 |
IPs from the inside. So, the Host can make a connection request to the Client. |
| 45 |
The Host works as a remoted server and phisical access to it is costy. |
| 46 |
All administrating of the Host should be done through the Client. |
| 47 |
That is the reason for the need of VPN. |
| 48 |
|
| 49 |
> What sort of control does your friend have on the OR & IR? |
| 50 |
|
| 51 |
Absolutely no control on OR and some control on IR. But the phisical access |
| 52 |
to the IR is also costy and preferably should be done only once, |
| 53 |
during its setup. |
| 54 |
|
| 55 |
> Is NAT in use on either OR or IR? |
| 56 |
|
| 57 |
Yes. On both. |
| 58 |
|
| 59 |
> What sort of |
| 60 |
|
| 61 |
Sorry, but I do know nothing about different sorts of NAT. |
| 62 |
|
| 63 |
>> The computer in local network to be connected runs Windows. The said |
| 64 |
>> friend of mine have tried to run some VPN server from Windows but it somehow |
| 65 |
>> hangs the "inner" computer when his "outer" computer has problems connecting |
| 66 |
>> to the Internet. |
| 67 |
> |
| 68 |
> Are you saying that the Host in the diagram above is running Windows? Or are |
| 69 |
> you referring to a different system? |
| 70 |
|
| 71 |
Yes, the Host is running Windows. |
| 72 |
|
| 73 |
>> So, now his idea is |
| 74 |
>> 1) to run a virtual machine in the "inner" (Windows) computer, |
| 75 |
>> 2) to install into this virtual machine very lightweight Linux server only |
| 76 |
>> to run in it a VPN-server that should help him to connect from the outside |
| 77 |
>> to the "inner" host (Windows) computer, which has its fixed IP within the |
| 78 |
>> inner local network. |
| 79 |
> |
| 80 |
> The VM may or may not be needed. |
| 81 |
|
| 82 |
I agree. The first attempt that will be done is to try to use a different VPN |
| 83 |
server on Windows Host directly. |
| 84 |
|
| 85 |
> Assuming that NAT is in play on OR and IR (worst case), then just about |
| 86 |
> /any/ form of VPN initiating from the outside will be fraught with uphill |
| 87 |
> battles. |
| 88 |
|
| 89 |
As far as I understand, the connection would be initiated from the Host. |
| 90 |
|
| 91 |
> It is likely possible that your friend can reconfigure both OR and IR to |
| 92 |
> forward a port from the Internet to Host. But that will likely mean that IR |
| 93 |
> will need to have a static IP on it's outside interface. - I'm guessing |
| 94 |
> this can't be done or that it would have already been done. |
| 95 |
|
| 96 |
Yes, there is absolutely no control over OR, and IR can only obtain |
| 97 |
its IP via DHCP. |
| 98 |
|
| 99 |
> I think that your friend's best bet is to have the IR initiate an outbound |
| 100 |
> VPN to something on the Internet that the Client can then initate |
| 101 |
> connections to. (I'm happily using a $5/month Linode VPS to do this.) |
| 102 |
|
| 103 |
Oh, we completely overlooked the possibility to set up VPN server |
| 104 |
directly on IR! |
| 105 |
|
| 106 |
Thank you for the idea! |
| 107 |
|
| 108 |
Hopefully, this VPN server won't hang the IR as it did with the Host. |
| 109 |
|
| 110 |
As to the third party VPN services, we would like to avoid them. |
| 111 |
The Client is run all the time and the problem arise only when it |
| 112 |
loses the Internet connection. |
| 113 |
|
| 114 |
> There may be ways to make this work without having the Host initiate |
| 115 |
> outbound connections, but I'm not sure what they would be. |
| 116 |
> |
| 117 |
> As for which VPN, a number of people like OpenVPN. I personally prefer |
| 118 |
> OpenSSH's ability to do a routed (L3) (or bridged L2) VPN. (I've got SSH |
| 119 |
> exposed already, so it's one less port to expose.) I see a number of people |
| 120 |
> bragging about WireGuard. Of course there are the old PPTP / L2TP / IPSec, |
| 121 |
> though I would avoid them for this install. I'm sure there are a number of |
| 122 |
> other VPN technologies that I'm not thinking of. |
| 123 |
> |
| 124 |
> I'm using OpenSSH's VPN feature between an inside client machine to an |
| 125 |
> external Linode VPS that functions as a midway rondevu point. |
| 126 |
|
| 127 |
Thank you for your recomendations. I just pass them to the friend of mine |
| 128 |
(so that not to dig into the details :). |
Archives