1 |
On 04/04/2018 02:18 PM, gevisz wrote: |
2 |
> A friend of mine asked me to recommend him an open-source VPN-server |
3 |
> for Linux but unfortunately I never used one. |
4 |
|
5 |
That's a loaded ask. |
6 |
|
7 |
> After some googling, I have found OpenVPN but do not know if it is the |
8 |
> best choice that suits his purposes, namely to access local network that |
9 |
> does not have its own fixed IP from the outside. |
10 |
|
11 |
Okay.... |
12 |
|
13 |
> To be more precise: the local network to be accessed to from the outside |
14 |
> is part of another local network. The latter (outer) network has its |
15 |
> own fixed IP but the former (inner) network gets its IP via DHCP. So, |
16 |
> it is impossible to connect to a computer in the inner network from the |
17 |
> outside directly. |
18 |
|
19 |
Is this toplolgy accurate? |
20 |
|
21 |
(Client)---(Internet)---(OR)---(IR)---(Host) |
22 |
|
23 |
I'm guessing that your friend (client) wants to access something (host) |
24 |
on the inner network. But to do so requires passing through the |
25 |
Internet through Outer Router (with a static IP on the outside (left)) |
26 |
and through the Inner Router (which has a dynamic IP on the outside |
27 |
(left) obtained via DHCP)). Is that correct? |
28 |
|
29 |
What sort of control does your friend have on the OR & IR? |
30 |
|
31 |
Is NAT in use on either OR or IR? |
32 |
|
33 |
What sort of |
34 |
|
35 |
> The computer in local network to be connected runs Windows. The said |
36 |
> friend of mine have tried to run some VPN server from Windows but it |
37 |
> somehow hangs the "inner" computer when his "outer" computer has problems |
38 |
> connecting to the Internet. |
39 |
|
40 |
Are you saying that the Host in the diagram above is running Windows? |
41 |
Or are you referring to a different system? |
42 |
|
43 |
> So, now his idea is |
44 |
> 1) to run a virtual machine in the "inner" (Windows) computer, |
45 |
> 2) to install into this virtual machine very lightweight Linux server |
46 |
> only to run in it a VPN-server that should help him to connect from the |
47 |
> outside to the "inner" host (Windows) computer, which has its fixed IP |
48 |
> within the inner local network. |
49 |
|
50 |
The VM may or may not be needed. |
51 |
|
52 |
Assuming that NAT is in play on OR and IR (worst case), then just about |
53 |
/any/ form of VPN initiating from the outside will be fraught with |
54 |
uphill battles. |
55 |
|
56 |
It is likely possible that your friend can reconfigure both OR and IR to |
57 |
forward a port from the Internet to Host. But that will likely mean |
58 |
that IR will need to have a static IP on it's outside interface. - I'm |
59 |
guessing this can't be done or that it would have already been done. |
60 |
|
61 |
I think that your friend's best bet is to have the IR initiate an |
62 |
outbound VPN to something on the Internet that the Client can then |
63 |
initate connections to. (I'm happily using a $5/month Linode VPS to do |
64 |
this.) |
65 |
|
66 |
There may be ways to make this work without having the Host initiate |
67 |
outbound connections, but I'm not sure what they would be. |
68 |
|
69 |
As for which VPN, a number of people like OpenVPN. I personally prefer |
70 |
OpenSSH's ability to do a routed (L3) (or bridged L2) VPN. (I've got |
71 |
SSH exposed already, so it's one less port to expose.) I see a number |
72 |
of people bragging about WireGuard. Of course there are the old PPTP / |
73 |
L2TP / IPSec, though I would avoid them for this install. I'm sure |
74 |
there are a number of other VPN technologies that I'm not thinking of. |
75 |
|
76 |
I'm using OpenSSH's VPN feature between an inside client machine to an |
77 |
external Linode VPS that functions as a midway rondevu point. |
78 |
|
79 |
|
80 |
|
81 |
-- |
82 |
Grant. . . . |
83 |
unix || die |