1 |
2018-04-05 2:03 GMT+03:00 Mick <michaelkintzios@×××××.com>: |
2 |
> On Wednesday, 4 April 2018 23:02:20 BST Grant Taylor wrote: |
3 |
>> On 04/04/2018 02:18 PM, gevisz wrote: |
4 |
>> > A friend of mine asked me to recommend him an open-source VPN-server |
5 |
>> > for Linux but unfortunately I never used one. |
6 |
>> |
7 |
>> That's a loaded ask. |
8 |
>> |
9 |
>> > After some googling, I have found OpenVPN but do not know if it is the |
10 |
>> > best choice that suits his purposes, namely to access local network that |
11 |
>> > does not have its own fixed IP from the outside. |
12 |
>> |
13 |
>> Okay.... |
14 |
> |
15 |
> This may be solvable, if the public facing gateway can be configured to |
16 |
> forward the requisite ports/protocols to the LAN where the host is located. |
17 |
|
18 |
If you mean port forfarding from OR to IR and then to the Host, it is impossible |
19 |
because we have no control over OR. |
20 |
|
21 |
>> > To be more precise: the local network to be accessed to from the outside |
22 |
>> > is part of another local network. The latter (outer) network has its |
23 |
>> > own fixed IP but the former (inner) network gets its IP via DHCP. So, |
24 |
>> > it is impossible to connect to a computer in the inner network from the |
25 |
>> > outside directly. |
26 |
>> |
27 |
>> Is this toplolgy accurate? |
28 |
>> |
29 |
>> (Client)---(Internet)---(OR)---(IR)---(Host) |
30 |
> |
31 |
> The OR can port forward the incoming VPN connection to the IR. The IR can |
32 |
> then act as a VPN gateway for the inner LAN. |
33 |
|
34 |
No, port forwarding from the OR to the IR is impossible. |
35 |
|
36 |
>> I'm guessing that your friend (client) wants to access something (host) |
37 |
>> on the inner network. But to do so requires passing through the |
38 |
>> Internet through Outer Router (with a static IP on the outside (left)) |
39 |
>> and through the Inner Router (which has a dynamic IP on the outside |
40 |
>> (left) obtained via DHCP)). Is that correct? |
41 |
>> |
42 |
>> What sort of control does your friend have on the OR & IR? |
43 |
>> |
44 |
>> Is NAT in use on either OR or IR? |
45 |
>> |
46 |
>> What sort of |
47 |
>> |
48 |
>> > The computer in local network to be connected runs Windows. The said |
49 |
>> > friend of mine have tried to run some VPN server from Windows but it |
50 |
>> > somehow hangs the "inner" computer when his "outer" computer has problems |
51 |
>> > connecting to the Internet. |
52 |
>> |
53 |
>> Are you saying that the Host in the diagram above is running Windows? |
54 |
>> Or are you referring to a different system? |
55 |
>> |
56 |
>> > So, now his idea is |
57 |
>> > 1) to run a virtual machine in the "inner" (Windows) computer, |
58 |
>> > 2) to install into this virtual machine very lightweight Linux server |
59 |
>> > only to run in it a VPN-server that should help him to connect from the |
60 |
>> > outside to the "inner" host (Windows) computer, which has its fixed IP |
61 |
>> > within the inner local network. |
62 |
>> |
63 |
>> The VM may or may not be needed. |
64 |
>> |
65 |
>> Assuming that NAT is in play on OR and IR (worst case), then just about |
66 |
>> /any/ form of VPN initiating from the outside will be fraught with |
67 |
>> uphill battles. |
68 |
>> |
69 |
>> It is likely possible that your friend can reconfigure both OR and IR to |
70 |
>> forward a port from the Internet to Host. But that will likely mean |
71 |
>> that IR will need to have a static IP on it's outside interface. - I'm |
72 |
>> guessing this can't be done or that it would have already been done. |
73 |
>> |
74 |
>> I think that your friend's best bet is to have the IR initiate an |
75 |
>> outbound VPN to something on the Internet that the Client can then |
76 |
>> initate connections to. (I'm happily using a $5/month Linode VPS to do |
77 |
>> this.) |
78 |
>> |
79 |
>> There may be ways to make this work without having the Host initiate |
80 |
>> outbound connections, but I'm not sure what they would be. |
81 |
>> |
82 |
>> As for which VPN, a number of people like OpenVPN. I personally prefer |
83 |
>> OpenSSH's ability to do a routed (L3) (or bridged L2) VPN. (I've got |
84 |
>> SSH exposed already, so it's one less port to expose.) I see a number |
85 |
>> of people bragging about WireGuard. Of course there are the old PPTP / |
86 |
>> L2TP / IPSec, though I would avoid them for this install. I'm sure |
87 |
>> there are a number of other VPN technologies that I'm not thinking of. |
88 |
> |
89 |
> PPTP has been insecure for years and best be avoided. |
90 |
> |
91 |
> L2TP within IPSec is OK, but check what crypto the MSWindows uses. Last time |
92 |
> I looked Win7 was not strong enough. |
93 |
> |
94 |
> IKEv2 + IPSec with strong crypto for both, is my personal preference for |
95 |
> gateway-to-gateway VPNs. |
96 |
> |
97 |
> MSWindows also has SSTP (because MSoft had to create their own clone of |
98 |
> OpenVPN). I think there's a Linux VPN client which will work with that: |
99 |
> |
100 |
> net-misc/sstp-client |
101 |
> |
102 |
> but have never tried it. |
103 |
> |
104 |
> Of course, if the above network topology suggested by Grant is correct, then |
105 |
> you will likely be limited by whatever VPN software comes with IR. |
106 |
> |
107 |
> In all cases, make sure you use TLS RSA/SHA2 certificates for both client and |
108 |
> VPN gateway authentication. |
109 |
> |
110 |
> Finally, check out Wireguard. It was designed from the ground up to overcome |
111 |
> the complexity of previous VPN solutions. I have not tried it out yet, but |
112 |
> will be next time I have to set up a VPN tunnel with a non-legacy router. |
113 |
|
114 |
Thank you. I will just forward these your adviced to the friend. |