Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Grant Taylor <gtaylor@gentoo.tnetconsulting.net>]

On 04/04/2018 02:18 PM, gevisz wrote:
> A friend of mine asked me to recommend him an open-source VPN-server 
> for Linux but unfortunately I never used one.

That's a loaded ask.

> After some googling, I have found OpenVPN but do not know if it is the 
> best choice that suits his purposes, namely to access local network that 
> does not have its own fixed IP from the outside.

Okay....

> To be more precise: the local network to be accessed to from the outside 
> is part of another local network. The latter (outer) network has its 
> own fixed IP but the former (inner) network gets its IP via DHCP.  So, 
> it is impossible to connect to a computer in the inner network from the 
> outside directly.

Is this toplolgy accurate?

(Client)---(Internet)---(OR)---(IR)---(Host)

I'm guessing that your friend (client) wants to access something (host) 
on the inner network.  But to do so requires passing through the 
Internet through Outer Router (with a static IP on the outside (left)) 
and through the Inner Router (which has a dynamic IP on the outside 
(left) obtained via DHCP)).  Is that correct?

What sort of control does your friend have on the OR & IR?

Is NAT in use on either OR or IR?

What sort of

> The computer in local network to be connected runs Windows.  The said 
> friend of mine have tried to run some VPN server from Windows but it 
> somehow hangs the "inner" computer when his "outer" computer has problems 
> connecting to the Internet.

Are you saying that the Host in the diagram above is running Windows? 
Or are you referring to a different system?

> So, now his idea is
> 1) to run a virtual machine in the "inner" (Windows) computer,
> 2) to install into this virtual machine very lightweight Linux server 
> only to run in it a VPN-server that should help him to connect from the 
> outside to the "inner" host (Windows) computer, which has its fixed IP 
> within the inner local network.

The VM may or may not be needed.

Assuming that NAT is in play on OR and IR (worst case), then just about 
/any/ form of VPN initiating from the outside will be fraught with 
uphill battles.

It is likely possible that your friend can reconfigure both OR and IR to 
forward a port from the Internet to Host.  But that will likely mean 
that IR will need to have a static IP on it's outside interface.  -  I'm 
guessing this can't be done or that it would have already been done.

I think that your friend's best bet is to have the IR initiate an 
outbound VPN to something on the Internet that the Client can then 
initate connections to.  (I'm happily using a $5/month Linode VPS to do 
this.)

There may be ways to make this work without having the Host initiate 
outbound connections, but I'm not sure what they would be.

As for which VPN, a number of people like OpenVPN.  I personally prefer 
OpenSSH's ability to do a routed (L3) (or bridged L2) VPN.  (I've got 
SSH exposed already, so it's one less port to expose.)  I see a number 
of people bragging about WireGuard.  Of course there are the old PPTP / 
L2TP / IPSec, though I would avoid them for this install.  I'm sure 
there are a number of other VPN technologies that I'm not thinking of.

I'm using OpenSSH's VPN feature between an inside client machine to an 
external Linode VPS that functions as a midway rondevu point.



-- 
Grant. . . .
unix || die