2018-04-05 14:51 GMT+03:00 Mick <michaelkintz...@gmail.com>: > > Your double NAT-ing arrangement hides the host twice over from the Internet. > In addition, some of the domestic ISP providers also offer NAT'ed connections > for their users.
Our outer router with static IP is actually the router (and gateway) of the Internet service provider. So, no "in addition". :) The inner router with dinamyc IP is the router (and gateway) of the local (home) network. > Some block specific ports/protocols for 'security purposes' > and require you to upgrade your service contract for unfettered > Internet connectivity. We have quite a lot of ISPs here. So, the ISP that risks to force "contract for unfettered Internet connectivity" will lose its client and gets nothing in return. Moreover, this unsatisfied (and technically savvy) client can easily persuade his neighbours to abandon this ISP as well... > Assuming none of the above ISP restrictions apply in your case, you have the > option of forwarding connections to the host through the IR. Single NAT e.g. > between OR and IR is fine and NAT-T can be configured in most VPN technologies > to address this. If you can configure the IR to expose the host via DMZ, or > forward specific ports/protocols from OR to the host directly then most VPN > technologies should work in principle. I think that my friend knows about this. But thank you anyway. :) > OpenVPN/SSTP is straight forward and for a single host (as opposed to a > gateway) there's no benefit in trying to implement more complicated kernel > based VPNs. For stronger OpenVPN crypto configuration have a look here: > > https://bettercrypto.org/static/applied-crypto-hardening.pdf An interesting link. Thank you. > but your security options will be limited by what MSWindows offers/allows. It is ok, as far as the only who uses this computer is a former Windows sysadmin and nobody is really motivated to break in. :) > Post with particulars when you get that far and we can troubleshoot it Ok, thank you.
