| 1 |
2018-04-05 2:03 GMT+03:00 Mick <michaelkintzios@×××××.com>: |
| 2 |
> On Wednesday, 4 April 2018 23:02:20 BST Grant Taylor wrote: |
| 3 |
>> On 04/04/2018 02:18 PM, gevisz wrote: |
| 4 |
>> > A friend of mine asked me to recommend him an open-source VPN-server |
| 5 |
>> > for Linux but unfortunately I never used one. |
| 6 |
>> |
| 7 |
>> That's a loaded ask. |
| 8 |
>> |
| 9 |
>> > After some googling, I have found OpenVPN but do not know if it is the |
| 10 |
>> > best choice that suits his purposes, namely to access local network that |
| 11 |
>> > does not have its own fixed IP from the outside. |
| 12 |
>> |
| 13 |
>> Okay.... |
| 14 |
> |
| 15 |
> This may be solvable, if the public facing gateway can be configured to |
| 16 |
> forward the requisite ports/protocols to the LAN where the host is located. |
| 17 |
|
| 18 |
If you mean port forfarding from OR to IR and then to the Host, it is impossible |
| 19 |
because we have no control over OR. |
| 20 |
|
| 21 |
>> > To be more precise: the local network to be accessed to from the outside |
| 22 |
>> > is part of another local network. The latter (outer) network has its |
| 23 |
>> > own fixed IP but the former (inner) network gets its IP via DHCP. So, |
| 24 |
>> > it is impossible to connect to a computer in the inner network from the |
| 25 |
>> > outside directly. |
| 26 |
>> |
| 27 |
>> Is this toplolgy accurate? |
| 28 |
>> |
| 29 |
>> (Client)---(Internet)---(OR)---(IR)---(Host) |
| 30 |
> |
| 31 |
> The OR can port forward the incoming VPN connection to the IR. The IR can |
| 32 |
> then act as a VPN gateway for the inner LAN. |
| 33 |
|
| 34 |
No, port forwarding from the OR to the IR is impossible. |
| 35 |
|
| 36 |
>> I'm guessing that your friend (client) wants to access something (host) |
| 37 |
>> on the inner network. But to do so requires passing through the |
| 38 |
>> Internet through Outer Router (with a static IP on the outside (left)) |
| 39 |
>> and through the Inner Router (which has a dynamic IP on the outside |
| 40 |
>> (left) obtained via DHCP)). Is that correct? |
| 41 |
>> |
| 42 |
>> What sort of control does your friend have on the OR & IR? |
| 43 |
>> |
| 44 |
>> Is NAT in use on either OR or IR? |
| 45 |
>> |
| 46 |
>> What sort of |
| 47 |
>> |
| 48 |
>> > The computer in local network to be connected runs Windows. The said |
| 49 |
>> > friend of mine have tried to run some VPN server from Windows but it |
| 50 |
>> > somehow hangs the "inner" computer when his "outer" computer has problems |
| 51 |
>> > connecting to the Internet. |
| 52 |
>> |
| 53 |
>> Are you saying that the Host in the diagram above is running Windows? |
| 54 |
>> Or are you referring to a different system? |
| 55 |
>> |
| 56 |
>> > So, now his idea is |
| 57 |
>> > 1) to run a virtual machine in the "inner" (Windows) computer, |
| 58 |
>> > 2) to install into this virtual machine very lightweight Linux server |
| 59 |
>> > only to run in it a VPN-server that should help him to connect from the |
| 60 |
>> > outside to the "inner" host (Windows) computer, which has its fixed IP |
| 61 |
>> > within the inner local network. |
| 62 |
>> |
| 63 |
>> The VM may or may not be needed. |
| 64 |
>> |
| 65 |
>> Assuming that NAT is in play on OR and IR (worst case), then just about |
| 66 |
>> /any/ form of VPN initiating from the outside will be fraught with |
| 67 |
>> uphill battles. |
| 68 |
>> |
| 69 |
>> It is likely possible that your friend can reconfigure both OR and IR to |
| 70 |
>> forward a port from the Internet to Host. But that will likely mean |
| 71 |
>> that IR will need to have a static IP on it's outside interface. - I'm |
| 72 |
>> guessing this can't be done or that it would have already been done. |
| 73 |
>> |
| 74 |
>> I think that your friend's best bet is to have the IR initiate an |
| 75 |
>> outbound VPN to something on the Internet that the Client can then |
| 76 |
>> initate connections to. (I'm happily using a $5/month Linode VPS to do |
| 77 |
>> this.) |
| 78 |
>> |
| 79 |
>> There may be ways to make this work without having the Host initiate |
| 80 |
>> outbound connections, but I'm not sure what they would be. |
| 81 |
>> |
| 82 |
>> As for which VPN, a number of people like OpenVPN. I personally prefer |
| 83 |
>> OpenSSH's ability to do a routed (L3) (or bridged L2) VPN. (I've got |
| 84 |
>> SSH exposed already, so it's one less port to expose.) I see a number |
| 85 |
>> of people bragging about WireGuard. Of course there are the old PPTP / |
| 86 |
>> L2TP / IPSec, though I would avoid them for this install. I'm sure |
| 87 |
>> there are a number of other VPN technologies that I'm not thinking of. |
| 88 |
> |
| 89 |
> PPTP has been insecure for years and best be avoided. |
| 90 |
> |
| 91 |
> L2TP within IPSec is OK, but check what crypto the MSWindows uses. Last time |
| 92 |
> I looked Win7 was not strong enough. |
| 93 |
> |
| 94 |
> IKEv2 + IPSec with strong crypto for both, is my personal preference for |
| 95 |
> gateway-to-gateway VPNs. |
| 96 |
> |
| 97 |
> MSWindows also has SSTP (because MSoft had to create their own clone of |
| 98 |
> OpenVPN). I think there's a Linux VPN client which will work with that: |
| 99 |
> |
| 100 |
> net-misc/sstp-client |
| 101 |
> |
| 102 |
> but have never tried it. |
| 103 |
> |
| 104 |
> Of course, if the above network topology suggested by Grant is correct, then |
| 105 |
> you will likely be limited by whatever VPN software comes with IR. |
| 106 |
> |
| 107 |
> In all cases, make sure you use TLS RSA/SHA2 certificates for both client and |
| 108 |
> VPN gateway authentication. |
| 109 |
> |
| 110 |
> Finally, check out Wireguard. It was designed from the ground up to overcome |
| 111 |
> the complexity of previous VPN solutions. I have not tried it out yet, but |
| 112 |
> will be next time I have to set up a VPN tunnel with a non-legacy router. |
| 113 |
|
| 114 |
Thank you. I will just forward these your adviced to the friend. |
Archives