1 |
On Wednesday, 4 April 2018 23:02:20 BST Grant Taylor wrote: |
2 |
> On 04/04/2018 02:18 PM, gevisz wrote: |
3 |
> > A friend of mine asked me to recommend him an open-source VPN-server |
4 |
> > for Linux but unfortunately I never used one. |
5 |
> |
6 |
> That's a loaded ask. |
7 |
> |
8 |
> > After some googling, I have found OpenVPN but do not know if it is the |
9 |
> > best choice that suits his purposes, namely to access local network that |
10 |
> > does not have its own fixed IP from the outside. |
11 |
> |
12 |
> Okay.... |
13 |
|
14 |
This may be solvable, if the public facing gateway can be configured to |
15 |
forward the requisite ports/protocols to the LAN where the host is located. |
16 |
|
17 |
|
18 |
> > To be more precise: the local network to be accessed to from the outside |
19 |
> > is part of another local network. The latter (outer) network has its |
20 |
> > own fixed IP but the former (inner) network gets its IP via DHCP. So, |
21 |
> > it is impossible to connect to a computer in the inner network from the |
22 |
> > outside directly. |
23 |
> |
24 |
> Is this toplolgy accurate? |
25 |
> |
26 |
> (Client)---(Internet)---(OR)---(IR)---(Host) |
27 |
|
28 |
The OR can port forward the incoming VPN connection to the IR. The IR can |
29 |
then act as a VPN gateway for the inner LAN. |
30 |
|
31 |
|
32 |
> I'm guessing that your friend (client) wants to access something (host) |
33 |
> on the inner network. But to do so requires passing through the |
34 |
> Internet through Outer Router (with a static IP on the outside (left)) |
35 |
> and through the Inner Router (which has a dynamic IP on the outside |
36 |
> (left) obtained via DHCP)). Is that correct? |
37 |
> |
38 |
> What sort of control does your friend have on the OR & IR? |
39 |
> |
40 |
> Is NAT in use on either OR or IR? |
41 |
> |
42 |
> What sort of |
43 |
> |
44 |
> > The computer in local network to be connected runs Windows. The said |
45 |
> > friend of mine have tried to run some VPN server from Windows but it |
46 |
> > somehow hangs the "inner" computer when his "outer" computer has problems |
47 |
> > connecting to the Internet. |
48 |
> |
49 |
> Are you saying that the Host in the diagram above is running Windows? |
50 |
> Or are you referring to a different system? |
51 |
> |
52 |
> > So, now his idea is |
53 |
> > 1) to run a virtual machine in the "inner" (Windows) computer, |
54 |
> > 2) to install into this virtual machine very lightweight Linux server |
55 |
> > only to run in it a VPN-server that should help him to connect from the |
56 |
> > outside to the "inner" host (Windows) computer, which has its fixed IP |
57 |
> > within the inner local network. |
58 |
> |
59 |
> The VM may or may not be needed. |
60 |
> |
61 |
> Assuming that NAT is in play on OR and IR (worst case), then just about |
62 |
> /any/ form of VPN initiating from the outside will be fraught with |
63 |
> uphill battles. |
64 |
> |
65 |
> It is likely possible that your friend can reconfigure both OR and IR to |
66 |
> forward a port from the Internet to Host. But that will likely mean |
67 |
> that IR will need to have a static IP on it's outside interface. - I'm |
68 |
> guessing this can't be done or that it would have already been done. |
69 |
> |
70 |
> I think that your friend's best bet is to have the IR initiate an |
71 |
> outbound VPN to something on the Internet that the Client can then |
72 |
> initate connections to. (I'm happily using a $5/month Linode VPS to do |
73 |
> this.) |
74 |
> |
75 |
> There may be ways to make this work without having the Host initiate |
76 |
> outbound connections, but I'm not sure what they would be. |
77 |
> |
78 |
> As for which VPN, a number of people like OpenVPN. I personally prefer |
79 |
> OpenSSH's ability to do a routed (L3) (or bridged L2) VPN. (I've got |
80 |
> SSH exposed already, so it's one less port to expose.) I see a number |
81 |
> of people bragging about WireGuard. Of course there are the old PPTP / |
82 |
> L2TP / IPSec, though I would avoid them for this install. I'm sure |
83 |
> there are a number of other VPN technologies that I'm not thinking of. |
84 |
|
85 |
PPTP has been insecure for years and best be avoided. |
86 |
|
87 |
L2TP within IPSec is OK, but check what crypto the MSWindows uses. Last time |
88 |
I looked Win7 was not strong enough. |
89 |
|
90 |
IKEv2 + IPSec with strong crypto for both, is my personal preference for |
91 |
gateway-to-gateway VPNs. |
92 |
|
93 |
MSWindows also has SSTP (because MSoft had to create their own clone of |
94 |
OpenVPN). I think there's a Linux VPN client which will work with that: |
95 |
|
96 |
net-misc/sstp-client |
97 |
|
98 |
but have never tried it. |
99 |
|
100 |
Of course, if the above network topology suggested by Grant is correct, then |
101 |
you will likely be limited by whatever VPN software comes with IR. |
102 |
|
103 |
In all cases, make sure you use TLS RSA/SHA2 certificates for both client and |
104 |
VPN gateway authentication. |
105 |
|
106 |
Finally, check out Wireguard. It was designed from the ground up to overcome |
107 |
the complexity of previous VPN solutions. I have not tried it out yet, but |
108 |
will be next time I have to set up a VPN tunnel with a non-legacy router. |
109 |
|
110 |
-- |
111 |
Regards, |
112 |
Mick |