| 1 |
On Wednesday, 4 April 2018 23:02:20 BST Grant Taylor wrote: |
| 2 |
> On 04/04/2018 02:18 PM, gevisz wrote: |
| 3 |
> > A friend of mine asked me to recommend him an open-source VPN-server |
| 4 |
> > for Linux but unfortunately I never used one. |
| 5 |
> |
| 6 |
> That's a loaded ask. |
| 7 |
> |
| 8 |
> > After some googling, I have found OpenVPN but do not know if it is the |
| 9 |
> > best choice that suits his purposes, namely to access local network that |
| 10 |
> > does not have its own fixed IP from the outside. |
| 11 |
> |
| 12 |
> Okay.... |
| 13 |
|
| 14 |
This may be solvable, if the public facing gateway can be configured to |
| 15 |
forward the requisite ports/protocols to the LAN where the host is located. |
| 16 |
|
| 17 |
|
| 18 |
> > To be more precise: the local network to be accessed to from the outside |
| 19 |
> > is part of another local network. The latter (outer) network has its |
| 20 |
> > own fixed IP but the former (inner) network gets its IP via DHCP. So, |
| 21 |
> > it is impossible to connect to a computer in the inner network from the |
| 22 |
> > outside directly. |
| 23 |
> |
| 24 |
> Is this toplolgy accurate? |
| 25 |
> |
| 26 |
> (Client)---(Internet)---(OR)---(IR)---(Host) |
| 27 |
|
| 28 |
The OR can port forward the incoming VPN connection to the IR. The IR can |
| 29 |
then act as a VPN gateway for the inner LAN. |
| 30 |
|
| 31 |
|
| 32 |
> I'm guessing that your friend (client) wants to access something (host) |
| 33 |
> on the inner network. But to do so requires passing through the |
| 34 |
> Internet through Outer Router (with a static IP on the outside (left)) |
| 35 |
> and through the Inner Router (which has a dynamic IP on the outside |
| 36 |
> (left) obtained via DHCP)). Is that correct? |
| 37 |
> |
| 38 |
> What sort of control does your friend have on the OR & IR? |
| 39 |
> |
| 40 |
> Is NAT in use on either OR or IR? |
| 41 |
> |
| 42 |
> What sort of |
| 43 |
> |
| 44 |
> > The computer in local network to be connected runs Windows. The said |
| 45 |
> > friend of mine have tried to run some VPN server from Windows but it |
| 46 |
> > somehow hangs the "inner" computer when his "outer" computer has problems |
| 47 |
> > connecting to the Internet. |
| 48 |
> |
| 49 |
> Are you saying that the Host in the diagram above is running Windows? |
| 50 |
> Or are you referring to a different system? |
| 51 |
> |
| 52 |
> > So, now his idea is |
| 53 |
> > 1) to run a virtual machine in the "inner" (Windows) computer, |
| 54 |
> > 2) to install into this virtual machine very lightweight Linux server |
| 55 |
> > only to run in it a VPN-server that should help him to connect from the |
| 56 |
> > outside to the "inner" host (Windows) computer, which has its fixed IP |
| 57 |
> > within the inner local network. |
| 58 |
> |
| 59 |
> The VM may or may not be needed. |
| 60 |
> |
| 61 |
> Assuming that NAT is in play on OR and IR (worst case), then just about |
| 62 |
> /any/ form of VPN initiating from the outside will be fraught with |
| 63 |
> uphill battles. |
| 64 |
> |
| 65 |
> It is likely possible that your friend can reconfigure both OR and IR to |
| 66 |
> forward a port from the Internet to Host. But that will likely mean |
| 67 |
> that IR will need to have a static IP on it's outside interface. - I'm |
| 68 |
> guessing this can't be done or that it would have already been done. |
| 69 |
> |
| 70 |
> I think that your friend's best bet is to have the IR initiate an |
| 71 |
> outbound VPN to something on the Internet that the Client can then |
| 72 |
> initate connections to. (I'm happily using a $5/month Linode VPS to do |
| 73 |
> this.) |
| 74 |
> |
| 75 |
> There may be ways to make this work without having the Host initiate |
| 76 |
> outbound connections, but I'm not sure what they would be. |
| 77 |
> |
| 78 |
> As for which VPN, a number of people like OpenVPN. I personally prefer |
| 79 |
> OpenSSH's ability to do a routed (L3) (or bridged L2) VPN. (I've got |
| 80 |
> SSH exposed already, so it's one less port to expose.) I see a number |
| 81 |
> of people bragging about WireGuard. Of course there are the old PPTP / |
| 82 |
> L2TP / IPSec, though I would avoid them for this install. I'm sure |
| 83 |
> there are a number of other VPN technologies that I'm not thinking of. |
| 84 |
|
| 85 |
PPTP has been insecure for years and best be avoided. |
| 86 |
|
| 87 |
L2TP within IPSec is OK, but check what crypto the MSWindows uses. Last time |
| 88 |
I looked Win7 was not strong enough. |
| 89 |
|
| 90 |
IKEv2 + IPSec with strong crypto for both, is my personal preference for |
| 91 |
gateway-to-gateway VPNs. |
| 92 |
|
| 93 |
MSWindows also has SSTP (because MSoft had to create their own clone of |
| 94 |
OpenVPN). I think there's a Linux VPN client which will work with that: |
| 95 |
|
| 96 |
net-misc/sstp-client |
| 97 |
|
| 98 |
but have never tried it. |
| 99 |
|
| 100 |
Of course, if the above network topology suggested by Grant is correct, then |
| 101 |
you will likely be limited by whatever VPN software comes with IR. |
| 102 |
|
| 103 |
In all cases, make sure you use TLS RSA/SHA2 certificates for both client and |
| 104 |
VPN gateway authentication. |
| 105 |
|
| 106 |
Finally, check out Wireguard. It was designed from the ground up to overcome |
| 107 |
the complexity of previous VPN solutions. I have not tried it out yet, but |
| 108 |
will be next time I have to set up a VPN tunnel with a non-legacy router. |
| 109 |
|
| 110 |
-- |
| 111 |
Regards, |
| 112 |
Mick |
Archives