From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <gentoo-user+bounces-183331-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by finch.gentoo.org (Postfix) with ESMTPS id 7205B1382C5
for <garchives@archives.gentoo.org>; Thu, 5 Apr 2018 09:57:57 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id A5C1EE0D28;
Thu, 5 Apr 2018 09:57:50 +0000 (UTC)
Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by pigeon.gentoo.org (Postfix) with ESMTPS id 28050E0C64
for <gentoo-user@lists.gentoo.org>; Thu, 5 Apr 2018 09:57:49 +0000 (UTC)
Received: by mail-io0-x231.google.com with SMTP id y128so29872787iod.4
for <gentoo-user@lists.gentoo.org>; Thu, 05 Apr 2018 02:57:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
bh=ldmmzVhkUc60Vvg/TNfb5cCTtvgH77/LQAqaJQlQbfY=;
b=GTCEhdvWuAwRWhKDnoDzzRq+UrgCBNvR5q3Zj2Eb8Ibhq9mAtO3H3cNmmlSQiBisVT
EJ/b2AUZJtpi/+DNxpOxwvQ78FfmJAUpyE1cEHacsPqGyvXTKf9Y0uUe05eWiBkZDrWW
jWlKK86RxSUYn0F6JM8G7gCz+ot5uyrJt/k4n3SWYpHsgHDJZWeCE6Gr8f3lwWparfHS
w8jghthh15TbrxSSVeh0N4BeRAVyW4eKy8L9XQYV3NilQL+poWX0YpCFBMCnugqLb+WR
EkixCEA7WR9Ic6ReSi14KuXOcXiaQvGeYdTBL8jC86G2oa7gE9LH4doR/R7q75GhL99B
lRYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to;
bh=ldmmzVhkUc60Vvg/TNfb5cCTtvgH77/LQAqaJQlQbfY=;
b=TqyyXndOMudjcDww65m8dJBzkVbIl7En8WqQefm2MrjYI7r0Wcaxsz/H3rrkzLIF43
WTG0lR0VM/WJkzoSJfQZ2IJQJbS6R2nRBd1I9unOIP7zhjMTWCMoPEtEhRvcYdsa6FFl
FTtHfzb9xZ6kA2c5m9cDUz30Evz0IN12iHUQaM9hV72wSqMwy7nL/ugdDGWU1vlHv0zL
s6Nif5vOkCZcF7qRb7UtSusGVa8F2800jjEdGij+iSTPCujqDvxLteg3RoAjnDY+Mrl9
eEd0H5at8YDXQ92VKF5seYQNoZKgN9EO2Lm2ZSvgjTV+WkwmJClaA5kMtOgLq6lk9B4V
e6Ng==
X-Gm-Message-State: ALQs6tAI2kBjnsqOlGVrYLCMncgCPtzXRJecAZEQA8PU2OskcmB1C0IA
h9/b92RrEI7wo6tqwB9Cpml0ruHUGZ4MjYIZBSk=
X-Google-Smtp-Source: AIpwx4+pDWIJrRI+MpnrTd+CGCoQEnITxV0CoT5OpHdNKz032qlYs9zoBuGfa9cERtHL29zd08wislOJnY9T0Ig3K7Y=
X-Received: by 10.107.158.79 with SMTP id h76mr19275841ioe.199.1522922269079;
Thu, 05 Apr 2018 02:57:49 -0700 (PDT)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.107.79.3 with HTTP; Thu, 5 Apr 2018 02:57:48 -0700 (PDT)
In-Reply-To: <2011184.un5E44JopT@dell_xps>
References: <CA+t6X7f1u7X0Q376C1+PrP7mSjDmQU8fyLj9eh5ktXVF=Xm-cQ@mail.gmail.com>
<bcdf80e9-1c92-db54-930b-411b86902552@spamtrap.tnetconsulting.net> <2011184.un5E44JopT@dell_xps>
From: gevisz <gevisz@gmail.com>
Date: Thu, 5 Apr 2018 12:57:48 +0300
Message-ID: <CA+t6X7e81ZsDf2=9W0QdVA2=MT=UW0ruCeiFwLEEzzXwNBecfA@mail.gmail.com>
Subject: Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?
To: gentoo-user@lists.gentoo.org
Content-Type: text/plain; charset="UTF-8"
X-Archives-Salt: 4cfb9fd5-5c16-44e5-8284-f037f57af36a
X-Archives-Hash: 32122101d0283f6762a41c253444f81a
2018-04-05 2:03 GMT+03:00 Mick <michaelkintzios@gmail.com>:
> On Wednesday, 4 April 2018 23:02:20 BST Grant Taylor wrote:
>> On 04/04/2018 02:18 PM, gevisz wrote:
>> > A friend of mine asked me to recommend him an open-source VPN-server
>> > for Linux but unfortunately I never used one.
>>
>> That's a loaded ask.
>>
>> > After some googling, I have found OpenVPN but do not know if it is the
>> > best choice that suits his purposes, namely to access local network that
>> > does not have its own fixed IP from the outside.
>>
>> Okay....
>
> This may be solvable, if the public facing gateway can be configured to
> forward the requisite ports/protocols to the LAN where the host is located.
If you mean port forfarding from OR to IR and then to the Host, it is impossible
because we have no control over OR.
>> > To be more precise: the local network to be accessed to from the outside
>> > is part of another local network. The latter (outer) network has its
>> > own fixed IP but the former (inner) network gets its IP via DHCP. So,
>> > it is impossible to connect to a computer in the inner network from the
>> > outside directly.
>>
>> Is this toplolgy accurate?
>>
>> (Client)---(Internet)---(OR)---(IR)---(Host)
>
> The OR can port forward the incoming VPN connection to the IR. The IR can
> then act as a VPN gateway for the inner LAN.
No, port forwarding from the OR to the IR is impossible.
>> I'm guessing that your friend (client) wants to access something (host)
>> on the inner network. But to do so requires passing through the
>> Internet through Outer Router (with a static IP on the outside (left))
>> and through the Inner Router (which has a dynamic IP on the outside
>> (left) obtained via DHCP)). Is that correct?
>>
>> What sort of control does your friend have on the OR & IR?
>>
>> Is NAT in use on either OR or IR?
>>
>> What sort of
>>
>> > The computer in local network to be connected runs Windows. The said
>> > friend of mine have tried to run some VPN server from Windows but it
>> > somehow hangs the "inner" computer when his "outer" computer has problems
>> > connecting to the Internet.
>>
>> Are you saying that the Host in the diagram above is running Windows?
>> Or are you referring to a different system?
>>
>> > So, now his idea is
>> > 1) to run a virtual machine in the "inner" (Windows) computer,
>> > 2) to install into this virtual machine very lightweight Linux server
>> > only to run in it a VPN-server that should help him to connect from the
>> > outside to the "inner" host (Windows) computer, which has its fixed IP
>> > within the inner local network.
>>
>> The VM may or may not be needed.
>>
>> Assuming that NAT is in play on OR and IR (worst case), then just about
>> /any/ form of VPN initiating from the outside will be fraught with
>> uphill battles.
>>
>> It is likely possible that your friend can reconfigure both OR and IR to
>> forward a port from the Internet to Host. But that will likely mean
>> that IR will need to have a static IP on it's outside interface. - I'm
>> guessing this can't be done or that it would have already been done.
>>
>> I think that your friend's best bet is to have the IR initiate an
>> outbound VPN to something on the Internet that the Client can then
>> initate connections to. (I'm happily using a $5/month Linode VPS to do
>> this.)
>>
>> There may be ways to make this work without having the Host initiate
>> outbound connections, but I'm not sure what they would be.
>>
>> As for which VPN, a number of people like OpenVPN. I personally prefer
>> OpenSSH's ability to do a routed (L3) (or bridged L2) VPN. (I've got
>> SSH exposed already, so it's one less port to expose.) I see a number
>> of people bragging about WireGuard. Of course there are the old PPTP /
>> L2TP / IPSec, though I would avoid them for this install. I'm sure
>> there are a number of other VPN technologies that I'm not thinking of.
>
> PPTP has been insecure for years and best be avoided.
>
> L2TP within IPSec is OK, but check what crypto the MSWindows uses. Last time
> I looked Win7 was not strong enough.
>
> IKEv2 + IPSec with strong crypto for both, is my personal preference for
> gateway-to-gateway VPNs.
>
> MSWindows also has SSTP (because MSoft had to create their own clone of
> OpenVPN). I think there's a Linux VPN client which will work with that:
>
> net-misc/sstp-client
>
> but have never tried it.
>
> Of course, if the above network topology suggested by Grant is correct, then
> you will likely be limited by whatever VPN software comes with IR.
>
> In all cases, make sure you use TLS RSA/SHA2 certificates for both client and
> VPN gateway authentication.
>
> Finally, check out Wireguard. It was designed from the ground up to overcome
> the complexity of previous VPN solutions. I have not tried it out yet, but
> will be next time I have to set up a VPN tunnel with a non-legacy router.
Thank you. I will just forward these your adviced to the friend.