2018-04-05 1:02 GMT+03:00 Grant Taylor <gtay...@gentoo.tnetconsulting.net>:
> On 04/04/2018 02:18 PM, gevisz wrote:
>>
>> A friend of mine asked me to recommend him an open-source VPN-server for
>> Linux but unfortunately I never used one.
>
> That's a loaded ask.
I just tried to point to the facts that
1) I know much less about VPNs than I had to before asking such a
question for myself,
2) There is a so to say "distributed competence":
The friend of mine is competent mostly in Windows and is a novice
in Linux whereas
I use Linux since the death of MS DOS 6.22 and know almost nothing
about Windows
(if I need some help about Windows, I just call to the friend and
ask where exactly
I should point and click :).
>> After some googling, I have found OpenVPN but do not know if it is the
>> best choice that suits his purposes, namely to access local network that
>> does not have its own fixed IP from the outside.
>
> Okay....
>
>> To be more precise: the local network to be accessed to from the outside
>> is part of another local network. The latter (outer) network has its own
>> fixed IP but the former (inner) network gets its IP via DHCP. So, it is
>> impossible to connect to a computer in the inner network from the outside
>> directly.
>
> Is this toplolgy accurate?
>
> (Client)---(Internet)---(OR)---(IR)---(Host)
>
> I'm guessing that your friend (client) wants to access something (host) on
> the inner network. But to do so requires passing through the Internet
> through Outer Router (with a static IP on the outside (left)) and through
> the Inner Router (which has a dynamic IP on the outside (left) obtained via
> DHCP)). Is that correct?
Yes. And the Client also has static IP. Moreover, both OR and IR have static
IPs from the inside. So, the Host can make a connection request to the Client.
The Host works as a remoted server and phisical access to it is costy.
All administrating of the Host should be done through the Client.
That is the reason for the need of VPN.
> What sort of control does your friend have on the OR & IR?
Absolutely no control on OR and some control on IR. But the phisical access
to the IR is also costy and preferably should be done only once,
during its setup.
> Is NAT in use on either OR or IR?
Yes. On both.
> What sort of
Sorry, but I do know nothing about different sorts of NAT.
>> The computer in local network to be connected runs Windows. The said
>> friend of mine have tried to run some VPN server from Windows but it somehow
>> hangs the "inner" computer when his "outer" computer has problems connecting
>> to the Internet.
>
> Are you saying that the Host in the diagram above is running Windows? Or are
> you referring to a different system?
Yes, the Host is running Windows.
>> So, now his idea is
>> 1) to run a virtual machine in the "inner" (Windows) computer,
>> 2) to install into this virtual machine very lightweight Linux server only
>> to run in it a VPN-server that should help him to connect from the outside
>> to the "inner" host (Windows) computer, which has its fixed IP within the
>> inner local network.
>
> The VM may or may not be needed.
I agree. The first attempt that will be done is to try to use a different VPN
server on Windows Host directly.
> Assuming that NAT is in play on OR and IR (worst case), then just about
> /any/ form of VPN initiating from the outside will be fraught with uphill
> battles.
As far as I understand, the connection would be initiated from the Host.
> It is likely possible that your friend can reconfigure both OR and IR to
> forward a port from the Internet to Host. But that will likely mean that IR
> will need to have a static IP on it's outside interface. - I'm guessing
> this can't be done or that it would have already been done.
Yes, there is absolutely no control over OR, and IR can only obtain
its IP via DHCP.
> I think that your friend's best bet is to have the IR initiate an outbound
> VPN to something on the Internet that the Client can then initate
> connections to. (I'm happily using a $5/month Linode VPS to do this.)
Oh, we completely overlooked the possibility to set up VPN server
directly on IR!
Thank you for the idea!
Hopefully, this VPN server won't hang the IR as it did with the Host.
As to the third party VPN services, we would like to avoid them.
The Client is run all the time and the problem arise only when it
loses the Internet connection.
> There may be ways to make this work without having the Host initiate
> outbound connections, but I'm not sure what they would be.
>
> As for which VPN, a number of people like OpenVPN. I personally prefer
> OpenSSH's ability to do a routed (L3) (or bridged L2) VPN. (I've got SSH
> exposed already, so it's one less port to expose.) I see a number of people
> bragging about WireGuard. Of course there are the old PPTP / L2TP / IPSec,
> though I would avoid them for this install. I'm sure there are a number of
> other VPN technologies that I'm not thinking of.
>
> I'm using OpenSSH's VPN feature between an inside client machine to an
> external Linode VPS that functions as a midway rondevu point.
Thank you for your recomendations. I just pass them to the friend of mine
(so that not to dig into the details :).
