1 |
2018-04-05 1:02 GMT+03:00 Grant Taylor <gtaylor@×××××××××××××××××××××.net>: |
2 |
> On 04/04/2018 02:18 PM, gevisz wrote: |
3 |
>> |
4 |
>> A friend of mine asked me to recommend him an open-source VPN-server for |
5 |
>> Linux but unfortunately I never used one. |
6 |
> |
7 |
> That's a loaded ask. |
8 |
|
9 |
I just tried to point to the facts that |
10 |
1) I know much less about VPNs than I had to before asking such a |
11 |
question for myself, |
12 |
2) There is a so to say "distributed competence": |
13 |
The friend of mine is competent mostly in Windows and is a novice |
14 |
in Linux whereas |
15 |
I use Linux since the death of MS DOS 6.22 and know almost nothing |
16 |
about Windows |
17 |
(if I need some help about Windows, I just call to the friend and |
18 |
ask where exactly |
19 |
I should point and click :). |
20 |
|
21 |
>> After some googling, I have found OpenVPN but do not know if it is the |
22 |
>> best choice that suits his purposes, namely to access local network that |
23 |
>> does not have its own fixed IP from the outside. |
24 |
> |
25 |
> Okay.... |
26 |
> |
27 |
>> To be more precise: the local network to be accessed to from the outside |
28 |
>> is part of another local network. The latter (outer) network has its own |
29 |
>> fixed IP but the former (inner) network gets its IP via DHCP. So, it is |
30 |
>> impossible to connect to a computer in the inner network from the outside |
31 |
>> directly. |
32 |
> |
33 |
> Is this toplolgy accurate? |
34 |
> |
35 |
> (Client)---(Internet)---(OR)---(IR)---(Host) |
36 |
> |
37 |
> I'm guessing that your friend (client) wants to access something (host) on |
38 |
> the inner network. But to do so requires passing through the Internet |
39 |
> through Outer Router (with a static IP on the outside (left)) and through |
40 |
> the Inner Router (which has a dynamic IP on the outside (left) obtained via |
41 |
> DHCP)). Is that correct? |
42 |
|
43 |
Yes. And the Client also has static IP. Moreover, both OR and IR have static |
44 |
IPs from the inside. So, the Host can make a connection request to the Client. |
45 |
The Host works as a remoted server and phisical access to it is costy. |
46 |
All administrating of the Host should be done through the Client. |
47 |
That is the reason for the need of VPN. |
48 |
|
49 |
> What sort of control does your friend have on the OR & IR? |
50 |
|
51 |
Absolutely no control on OR and some control on IR. But the phisical access |
52 |
to the IR is also costy and preferably should be done only once, |
53 |
during its setup. |
54 |
|
55 |
> Is NAT in use on either OR or IR? |
56 |
|
57 |
Yes. On both. |
58 |
|
59 |
> What sort of |
60 |
|
61 |
Sorry, but I do know nothing about different sorts of NAT. |
62 |
|
63 |
>> The computer in local network to be connected runs Windows. The said |
64 |
>> friend of mine have tried to run some VPN server from Windows but it somehow |
65 |
>> hangs the "inner" computer when his "outer" computer has problems connecting |
66 |
>> to the Internet. |
67 |
> |
68 |
> Are you saying that the Host in the diagram above is running Windows? Or are |
69 |
> you referring to a different system? |
70 |
|
71 |
Yes, the Host is running Windows. |
72 |
|
73 |
>> So, now his idea is |
74 |
>> 1) to run a virtual machine in the "inner" (Windows) computer, |
75 |
>> 2) to install into this virtual machine very lightweight Linux server only |
76 |
>> to run in it a VPN-server that should help him to connect from the outside |
77 |
>> to the "inner" host (Windows) computer, which has its fixed IP within the |
78 |
>> inner local network. |
79 |
> |
80 |
> The VM may or may not be needed. |
81 |
|
82 |
I agree. The first attempt that will be done is to try to use a different VPN |
83 |
server on Windows Host directly. |
84 |
|
85 |
> Assuming that NAT is in play on OR and IR (worst case), then just about |
86 |
> /any/ form of VPN initiating from the outside will be fraught with uphill |
87 |
> battles. |
88 |
|
89 |
As far as I understand, the connection would be initiated from the Host. |
90 |
|
91 |
> It is likely possible that your friend can reconfigure both OR and IR to |
92 |
> forward a port from the Internet to Host. But that will likely mean that IR |
93 |
> will need to have a static IP on it's outside interface. - I'm guessing |
94 |
> this can't be done or that it would have already been done. |
95 |
|
96 |
Yes, there is absolutely no control over OR, and IR can only obtain |
97 |
its IP via DHCP. |
98 |
|
99 |
> I think that your friend's best bet is to have the IR initiate an outbound |
100 |
> VPN to something on the Internet that the Client can then initate |
101 |
> connections to. (I'm happily using a $5/month Linode VPS to do this.) |
102 |
|
103 |
Oh, we completely overlooked the possibility to set up VPN server |
104 |
directly on IR! |
105 |
|
106 |
Thank you for the idea! |
107 |
|
108 |
Hopefully, this VPN server won't hang the IR as it did with the Host. |
109 |
|
110 |
As to the third party VPN services, we would like to avoid them. |
111 |
The Client is run all the time and the problem arise only when it |
112 |
loses the Internet connection. |
113 |
|
114 |
> There may be ways to make this work without having the Host initiate |
115 |
> outbound connections, but I'm not sure what they would be. |
116 |
> |
117 |
> As for which VPN, a number of people like OpenVPN. I personally prefer |
118 |
> OpenSSH's ability to do a routed (L3) (or bridged L2) VPN. (I've got SSH |
119 |
> exposed already, so it's one less port to expose.) I see a number of people |
120 |
> bragging about WireGuard. Of course there are the old PPTP / L2TP / IPSec, |
121 |
> though I would avoid them for this install. I'm sure there are a number of |
122 |
> other VPN technologies that I'm not thinking of. |
123 |
> |
124 |
> I'm using OpenSSH's VPN feature between an inside client machine to an |
125 |
> external Linode VPS that functions as a midway rondevu point. |
126 |
|
127 |
Thank you for your recomendations. I just pass them to the friend of mine |
128 |
(so that not to dig into the details :). |