From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BE0DC1382C5 for ; Thu, 5 Apr 2018 09:51:27 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 44E8DE0BF2; Thu, 5 Apr 2018 09:51:19 +0000 (UTC) Received: from mail-io0-x229.google.com (mail-io0-x229.google.com [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C7C69E0A87 for ; Thu, 5 Apr 2018 09:51:18 +0000 (UTC) Received: by mail-io0-x229.google.com with SMTP id d6so27895691iog.1 for ; Thu, 05 Apr 2018 02:51:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=mS9Qg7bIi0mMrD8oX2c6Iju/78KLpbIvrQnhKl5XuN0=; b=XJ0sGL0lyDOQR/P+fpDbSQ6CtY1/XSBwCAz+pbTCgf8yfcaLZCxZJuJBKPBMRx1yaw 0PG+sr9P0McJAJbazylXBW4z4i2MkcBiC+vxep0XIH3sK5CEPhPReES3uRAhlj+q58i4 GynA9WxejxiRuRMTvC9EPS473NVr+jFoQYL8vf6bmTRGUSLSKA9Leo8cO5/tc4g+ZVKu 4HLsiUSdMXxecioOCIkuhcrzs3CbSJVFfO1DZTl2XQVJqcexbpabKixYNNZ2dNDLXgWn sSjGYjieGnqkpDKqefxIV1MYkEef6qVnDeSGsi/uK/fZPZSSf9pJiv4C7x4lPj6t5dW5 KuGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=mS9Qg7bIi0mMrD8oX2c6Iju/78KLpbIvrQnhKl5XuN0=; b=GWo5PLArXkh8oWNLqzB1RWpgTQj+kCUYdkEc+y1MK8uMHnqjornYyVc4giJU6fj9du +NQ5s2s54aQZJNuYjPTVMrPdGO/UzE+aJpB3wRgSCA2GvkIKJtI0wEcl2xwf7MyKPBzs fWv/YKny35Y+NO+YptEHahRixGw4TW85ZtUBueYHHZ6iDfmM4xv7Jk/ILnPnxNoiTrsa 1J+sVOL4ergLRll85XpbeJngEMRNwgZLpKBWlotciiYzWzjYS3mbSZZoyf0TVeYn3AQh 0q1vs2LYvq4QGVa8RmYIbv4dPJtZQ4oaeLmg3KLwu6bet/31KbtwfWzZALyr3JxNYqYw OAtw== X-Gm-Message-State: ALQs6tCdRo/YFde6xiun4ZcmMYTp6jQ1yC3y4DlH1D+an7X/64PrAvjC 1iCTeLqeeMGmoT+89Ybt0rPA8+ZTwHpSM12t93A= X-Google-Smtp-Source: AIpwx488mnHS9unUDdhwHqThhPtko1+j86Dz2+m8G/zU8u7bxiHRLAaKeZQtS4K2GyO40Uf8j7jPbsvGZn4Usm1UkXo= X-Received: by 10.107.173.68 with SMTP id w65mr19135187ioe.211.1522921877765; Thu, 05 Apr 2018 02:51:17 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.107.79.3 with HTTP; Thu, 5 Apr 2018 02:51:17 -0700 (PDT) In-Reply-To: References: From: gevisz Date: Thu, 5 Apr 2018 12:51:17 +0300 Message-ID: Subject: Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux? To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: 8f11f2ed-e603-4330-91db-5c2aee9ea505 X-Archives-Hash: 0e73b8cb0dc35b26f6f2d5ed45ac0a21 2018-04-05 1:02 GMT+03:00 Grant Taylor : > On 04/04/2018 02:18 PM, gevisz wrote: >> >> A friend of mine asked me to recommend him an open-source VPN-server for >> Linux but unfortunately I never used one. > > That's a loaded ask. I just tried to point to the facts that 1) I know much less about VPNs than I had to before asking such a question for myself, 2) There is a so to say "distributed competence": The friend of mine is competent mostly in Windows and is a novice in Linux whereas I use Linux since the death of MS DOS 6.22 and know almost nothing about Windows (if I need some help about Windows, I just call to the friend and ask where exactly I should point and click :). >> After some googling, I have found OpenVPN but do not know if it is the >> best choice that suits his purposes, namely to access local network that >> does not have its own fixed IP from the outside. > > Okay.... > >> To be more precise: the local network to be accessed to from the outside >> is part of another local network. The latter (outer) network has its own >> fixed IP but the former (inner) network gets its IP via DHCP. So, it is >> impossible to connect to a computer in the inner network from the outside >> directly. > > Is this toplolgy accurate? > > (Client)---(Internet)---(OR)---(IR)---(Host) > > I'm guessing that your friend (client) wants to access something (host) on > the inner network. But to do so requires passing through the Internet > through Outer Router (with a static IP on the outside (left)) and through > the Inner Router (which has a dynamic IP on the outside (left) obtained via > DHCP)). Is that correct? Yes. And the Client also has static IP. Moreover, both OR and IR have static IPs from the inside. So, the Host can make a connection request to the Client. The Host works as a remoted server and phisical access to it is costy. All administrating of the Host should be done through the Client. That is the reason for the need of VPN. > What sort of control does your friend have on the OR & IR? Absolutely no control on OR and some control on IR. But the phisical access to the IR is also costy and preferably should be done only once, during its setup. > Is NAT in use on either OR or IR? Yes. On both. > What sort of Sorry, but I do know nothing about different sorts of NAT. >> The computer in local network to be connected runs Windows. The said >> friend of mine have tried to run some VPN server from Windows but it somehow >> hangs the "inner" computer when his "outer" computer has problems connecting >> to the Internet. > > Are you saying that the Host in the diagram above is running Windows? Or are > you referring to a different system? Yes, the Host is running Windows. >> So, now his idea is >> 1) to run a virtual machine in the "inner" (Windows) computer, >> 2) to install into this virtual machine very lightweight Linux server only >> to run in it a VPN-server that should help him to connect from the outside >> to the "inner" host (Windows) computer, which has its fixed IP within the >> inner local network. > > The VM may or may not be needed. I agree. The first attempt that will be done is to try to use a different VPN server on Windows Host directly. > Assuming that NAT is in play on OR and IR (worst case), then just about > /any/ form of VPN initiating from the outside will be fraught with uphill > battles. As far as I understand, the connection would be initiated from the Host. > It is likely possible that your friend can reconfigure both OR and IR to > forward a port from the Internet to Host. But that will likely mean that IR > will need to have a static IP on it's outside interface. - I'm guessing > this can't be done or that it would have already been done. Yes, there is absolutely no control over OR, and IR can only obtain its IP via DHCP. > I think that your friend's best bet is to have the IR initiate an outbound > VPN to something on the Internet that the Client can then initate > connections to. (I'm happily using a $5/month Linode VPS to do this.) Oh, we completely overlooked the possibility to set up VPN server directly on IR! Thank you for the idea! Hopefully, this VPN server won't hang the IR as it did with the Host. As to the third party VPN services, we would like to avoid them. The Client is run all the time and the problem arise only when it loses the Internet connection. > There may be ways to make this work without having the Host initiate > outbound connections, but I'm not sure what they would be. > > As for which VPN, a number of people like OpenVPN. I personally prefer > OpenSSH's ability to do a routed (L3) (or bridged L2) VPN. (I've got SSH > exposed already, so it's one less port to expose.) I see a number of people > bragging about WireGuard. Of course there are the old PPTP / L2TP / IPSec, > though I would avoid them for this install. I'm sure there are a number of > other VPN technologies that I'm not thinking of. > > I'm using OpenSSH's VPN feature between an inside client machine to an > external Linode VPS that functions as a midway rondevu point. Thank you for your recomendations. I just pass them to the friend of mine (so that not to dig into the details :).