| 1 |
On 04/04/2018 02:18 PM, gevisz wrote: |
| 2 |
> A friend of mine asked me to recommend him an open-source VPN-server |
| 3 |
> for Linux but unfortunately I never used one. |
| 4 |
|
| 5 |
That's a loaded ask. |
| 6 |
|
| 7 |
> After some googling, I have found OpenVPN but do not know if it is the |
| 8 |
> best choice that suits his purposes, namely to access local network that |
| 9 |
> does not have its own fixed IP from the outside. |
| 10 |
|
| 11 |
Okay.... |
| 12 |
|
| 13 |
> To be more precise: the local network to be accessed to from the outside |
| 14 |
> is part of another local network. The latter (outer) network has its |
| 15 |
> own fixed IP but the former (inner) network gets its IP via DHCP. So, |
| 16 |
> it is impossible to connect to a computer in the inner network from the |
| 17 |
> outside directly. |
| 18 |
|
| 19 |
Is this toplolgy accurate? |
| 20 |
|
| 21 |
(Client)---(Internet)---(OR)---(IR)---(Host) |
| 22 |
|
| 23 |
I'm guessing that your friend (client) wants to access something (host) |
| 24 |
on the inner network. But to do so requires passing through the |
| 25 |
Internet through Outer Router (with a static IP on the outside (left)) |
| 26 |
and through the Inner Router (which has a dynamic IP on the outside |
| 27 |
(left) obtained via DHCP)). Is that correct? |
| 28 |
|
| 29 |
What sort of control does your friend have on the OR & IR? |
| 30 |
|
| 31 |
Is NAT in use on either OR or IR? |
| 32 |
|
| 33 |
What sort of |
| 34 |
|
| 35 |
> The computer in local network to be connected runs Windows. The said |
| 36 |
> friend of mine have tried to run some VPN server from Windows but it |
| 37 |
> somehow hangs the "inner" computer when his "outer" computer has problems |
| 38 |
> connecting to the Internet. |
| 39 |
|
| 40 |
Are you saying that the Host in the diagram above is running Windows? |
| 41 |
Or are you referring to a different system? |
| 42 |
|
| 43 |
> So, now his idea is |
| 44 |
> 1) to run a virtual machine in the "inner" (Windows) computer, |
| 45 |
> 2) to install into this virtual machine very lightweight Linux server |
| 46 |
> only to run in it a VPN-server that should help him to connect from the |
| 47 |
> outside to the "inner" host (Windows) computer, which has its fixed IP |
| 48 |
> within the inner local network. |
| 49 |
|
| 50 |
The VM may or may not be needed. |
| 51 |
|
| 52 |
Assuming that NAT is in play on OR and IR (worst case), then just about |
| 53 |
/any/ form of VPN initiating from the outside will be fraught with |
| 54 |
uphill battles. |
| 55 |
|
| 56 |
It is likely possible that your friend can reconfigure both OR and IR to |
| 57 |
forward a port from the Internet to Host. But that will likely mean |
| 58 |
that IR will need to have a static IP on it's outside interface. - I'm |
| 59 |
guessing this can't be done or that it would have already been done. |
| 60 |
|
| 61 |
I think that your friend's best bet is to have the IR initiate an |
| 62 |
outbound VPN to something on the Internet that the Client can then |
| 63 |
initate connections to. (I'm happily using a $5/month Linode VPS to do |
| 64 |
this.) |
| 65 |
|
| 66 |
There may be ways to make this work without having the Host initiate |
| 67 |
outbound connections, but I'm not sure what they would be. |
| 68 |
|
| 69 |
As for which VPN, a number of people like OpenVPN. I personally prefer |
| 70 |
OpenSSH's ability to do a routed (L3) (or bridged L2) VPN. (I've got |
| 71 |
SSH exposed already, so it's one less port to expose.) I see a number |
| 72 |
of people bragging about WireGuard. Of course there are the old PPTP / |
| 73 |
L2TP / IPSec, though I would avoid them for this install. I'm sure |
| 74 |
there are a number of other VPN technologies that I'm not thinking of. |
| 75 |
|
| 76 |
I'm using OpenSSH's VPN feature between an inside client machine to an |
| 77 |
external Linode VPS that functions as a midway rondevu point. |
| 78 |
|
| 79 |
|
| 80 |
|
| 81 |
-- |
| 82 |
Grant. . . . |
| 83 |
unix || die |
Archives