From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-183337-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id E015E1382C5
	for <garchives@archives.gentoo.org>; Thu,  5 Apr 2018 13:23:51 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 7498BE0D39;
	Thu,  5 Apr 2018 13:23:43 +0000 (UTC)
Received: from icp-osb-irony-out8.external.iinet.net.au (icp-osb-irony-out8.external.iinet.net.au [203.59.1.225])
	by pigeon.gentoo.org (Postfix) with ESMTP id 71AEAE0D1F
	for <gentoo-user@lists.gentoo.org>; Thu,  5 Apr 2018 13:23:42 +0000 (UTC)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2DXCwCsIsZa/6Wt0HZVCBsBAQEBAwEBA?=
 =?us-ascii?q?QkBAQGDPQVhA2wog1+WUymBD4ZhjW4LhQMChAchOBQBAgEBAQEBAQJsKIUjAQU?=
 =?us-ascii?q?jDwFWCw0LAgImAgIhNhMGAgEBhHEDFKtwghwaAoQ7gjENgSuCJYEJiC0/gS6CN?=
 =?us-ascii?q?C6CT4F7D2KCNIJUAoxVij8sCIs0gncGh0MThGeJVoYtgSMCMyGBUk0fGYJ9giU?=
 =?us-ascii?q?SjiQyMI0QAQE?=
X-IPAS-Result: =?us-ascii?q?A2DXCwCsIsZa/6Wt0HZVCBsBAQEBAwEBAQkBAQGDPQVhA2w?=
 =?us-ascii?q?og1+WUymBD4ZhjW4LhQMChAchOBQBAgEBAQEBAQJsKIUjAQUjDwFWCw0LAgImA?=
 =?us-ascii?q?gIhNhMGAgEBhHEDFKtwghwaAoQ7gjENgSuCJYEJiC0/gS6CNC6CT4F7D2KCNIJ?=
 =?us-ascii?q?UAoxVij8sCIs0gncGh0MThGeJVoYtgSMCMyGBUk0fGYJ9giUSjiQyMI0QAQE?=
X-IronPort-AV: E=Sophos;i="5.48,411,1517846400"; 
   d="scan'208";a="62622143"
Received: from unknown (HELO mail.vm.localdomain) ([118.208.173.165])
  by icp-osb-irony-out8.iinet.net.au with ESMTP; 05 Apr 2018 21:23:39 +0800
Received: from localhost (localhost [127.0.0.1])
	by mail.vm.localdomain (Postfix) with ESMTP id A5B1467581
	for <gentoo-user@lists.gentoo.org>; Thu,  5 Apr 2018 21:23:39 +0800 (AWST)
X-Virus-Scanned: amavisd-new at localdomain
Received: from mail.vm.localdomain ([127.0.0.1])
	by localhost (mail.vm.localdomain [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id OWUdeO7z9bXD for <gentoo-user@lists.gentoo.org>;
	Thu,  5 Apr 2018 21:23:37 +0800 (AWST)
Received: from [192.168.44.7] (rattus.lan.localdomain [192.168.44.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: wdk)
	by mail.vm.localdomain (Postfix) with ESMTPSA id 6264A67579
	for <gentoo-user@lists.gentoo.org>; Thu,  5 Apr 2018 21:14:40 +0800 (AWST)
Subject: Re: [gentoo-user] [OT] What is the best open-source VPN server for
 Linux?
To: gentoo-user@lists.gentoo.org
References: <CA+t6X7f1u7X0Q376C1+PrP7mSjDmQU8fyLj9eh5ktXVF=Xm-cQ@mail.gmail.com>
 <bcdf80e9-1c92-db54-930b-411b86902552@spamtrap.tnetconsulting.net>
 <CA+t6X7eRwRthm_JQyjURjgqDMsdrALMwr+FZwNsTMef6=_XE3A@mail.gmail.com>
 <CA+t6X7cCgvGYCcaV-cdo0+_E8YH9GWzrAqM==AEX1ztwT_X3dw@mail.gmail.com>
From: Bill Kenworthy <billk@iinet.net.au>
Message-ID: <c79afa67-6d01-d0df-e930-1365d251427a@iinet.net.au>
Date: Thu, 5 Apr 2018 21:14:02 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
In-Reply-To: <CA+t6X7cCgvGYCcaV-cdo0+_E8YH9GWzrAqM==AEX1ztwT_X3dw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-AU
X-Archives-Salt: 55fa29d4-dffa-432a-bf35-ae720bc64e9c
X-Archives-Hash: 487430d7344ff7b8acb1eeeecb1b3576

On 05/04/18 18:28, gevisz wrote:
> 2018-04-05 12:51 GMT+03:00 gevisz <gevisz@gmail.com>:
>> 2018-04-05 1:02 GMT+03:00 Grant Taylor <gtaylor@gentoo.tnetconsulting.net>:
>> On 04/04/2018 02:18 PM, gevisz wrote:
>>> Assuming that NAT is in play on OR and IR (worst case), then just about
>>> /any/ form of VPN initiating from the outside will be fraught with uphill
>>> battles.
>> As far as I understand, the connection would be initiated from the Host.
> A small correction after a call to the friend: the VPN server should
> be installed
> on the Client and the VPN client should be installed on the Host.
>
> Becaule of the same reason it is impossible to set up VPN server on the IR.
>
> Moreover, IR is too simple to use it for setting up any server other then NAT
> and, may be, port-forwarding.
>
Might need a third party vpn server in the cloud that both ends connect
to as clients and route between?  A stunserver like VoIP uses will help
there.

Also try a proxytunnel/stunnel using port 443 and use that to bounce
openvpn or a putty (ssh) port tunnel through the networks https proxy. 
Inefficient but gets ssh, web pages and small downloads through
problematic networks nicely.  Double wrapping in ssl with end-to-end
protection via openvpn takes care of privacy when MITM SSL proxies are
used (yes they exist)   Note that openvpn can be used peer to peer
though client to server is a bit more secure.  In my setup, the client
is windows and the server is gentoo on a dynamic IP.  For really
paranoid networks, there are other ways but I have found this handles
most cases which are either my android phone, laptop using openvpn on
locked down wifi networks or ssh (putty) on windows hosts.


BillK