Re: Faking the same LAN over the Internet
On 2020-04-03, Matt Schwartz wrote: > I think as long as one side of the tunnel is not doing NAT then you would > be okay. IPsec copes with NAT on both sides as long as the UDP ports (500/4500) are port-forwarded on one side, Then the ethernet tunnel (etherip bridged to the relevant network interface is usually simplest) can run between private addresses passed over the tunnel. >> On Wed, 1 Apr 2020, at 18:47, Tom Smyth wrote: >> > Gre is great and fast and a hell of a lot faster than OpenVPN... >> > However and it is a Big However... >> > Gre does not typically work Across NATs GRE works across IPsec tunnels ok though, giving a way to sidestep NAT. (GRE *can* work across NAT in some circumstances). But IIUC the OP needs an L2 tunnel, so that's normally etherip/egre/eoip bridged to an etherneg interface. etherip is usually simplest. (I think it's also possible to use tun(4) in L2 mode, bridged to an ethernet interface, and forward it via ssh tunnel forwarding - this is easier in some ways but will be slower) It will need a system each side that can use compatible ethernet tunneling mechanisms (and it's easier if these boxes use the same software e.g. OpenBSD both sides so you aren't dealing with learning two different implementations). The general approach is to configure private (e.g. RFC1918) addresses on "dummy" interfaces each side (e.g. 172.18.123.1/30 and 172.18.123.2/30on vether or loopback interfaces) and configure an IPsec tunnel to pass traffic between those addresses (e.g. "ike esp from 172.18.123.1 to 172.18.123.2 peer 11.22.33.44 local 22.33.44.55 main auth hmac-sha1 enc aes group modp2048 quick enc aes-128-gcm group modp2048 srcid somename dstid othername" for ipsec.conf, and copy local.pub from the "somename" side to pubkeys/fqdn/othername on the other side and vice-versa). Get the VPN working so you can ping between those private addresses first (ignore etherip until that works), when you know that side of things is OK then you can use them as endpoints for the etherip tunnel. Don't forget sysctl net.inet.ip.forwarding, and all the network packets involved will need to make it past PF rules.
Re: Faking the same LAN over the Internet
I think as long as one side of the tunnel is not doing NAT then you would be okay. For a while I had an IPSEC VPN going between my cloud server and my home desktop so that I could access my home desktop remotely and it worked well. Although, I have never tried any layer two tunneling. Report back and let us know how it goes. EtherIP might be simpler to set up. On Fri, Apr 3, 2020 at 11:51 AM Chris Rawnsley wrote: > Many thanks for all the suggestions, folks. > > I think I will have a play around with egre(4) and etherip(4) paired > with iked(8) first and then move on to OpenVPN if all else fails. I > will try to simulate the network layout with vmm(4) and hopefully > report back in a few days. > > > On Wed, 1 Apr 2020, at 18:47, Tom Smyth wrote: > > Gre is great and fast and a hell of a lot faster than OpenVPN... > > However and it is a Big However... > > Gre does not typically work Across NATs > > On my side of the link I have an APU2 with OpenBSD working as a > gateway and, potentially, managing this tunnelling too. As I have > not got into details yet, would the NAT issue be avoided if one side > of the tunnel has a public IP? > > -- > Chris Rawnsley > >
Re: Faking the same LAN over the Internet
Many thanks for all the suggestions, folks. I think I will have a play around with egre(4) and etherip(4) paired with iked(8) first and then move on to OpenVPN if all else fails. I will try to simulate the network layout with vmm(4) and hopefully report back in a few days. On Wed, 1 Apr 2020, at 18:47, Tom Smyth wrote: > Gre is great and fast and a hell of a lot faster than OpenVPN... > However and it is a Big However... > Gre does not typically work Across NATs On my side of the link I have an APU2 with OpenBSD working as a gateway and, potentially, managing this tunnelling too. As I have not got into details yet, would the NAT issue be avoided if one side of the tunnel has a public IP? -- Chris Rawnsley
Re: Faking the same LAN over the Internet
You could also consider using etherip(4). I think the etherip(4) interface might be more NAT tolerant but I am not really sure.
Re: Faking the same LAN over the Internet
yes, if your openbsd device is not your broadband router then consider below. brief how to, actual implementation left to individual admin step one, have a relatively low cost virtual host provider step two, using virtual host provider to determine data center with lowest combined latency between your 2(or more) endpoints step three, create ipsec tunnels between endpoints and VM server step four, create egre or eiop or whatever use chose between the various endpoints across ipsec tunnel On Wed, Apr 1, 2020 at 11:45 AM Tom Smyth wrote: > > Hi Chris, Dianna, > > Gre is great and fast and a hell of a lot faster than OpenVPN... > However and it is a Big However... > Gre does not typically work Across NATs > > L2 GRE tunnel interfaces u can run on OpenBSD > include eoip(4) egre(4), etherip(4) > > > On Wed, 1 Apr 2020 at 17:58, Chris Bennett > wrote: > > > > On Wed, Apr 01, 2020 at 07:01:15AM -0600, Diana Eichert wrote: > > > have you considered looking at native OpenBSD tools? > > > > > > https://man.openbsd.org/egre.4 > > > > > > > Wow! I had no idea about this. > > The manual page seems to be very clear, too. > > > > I have 2 servers at different ISPs and from home I almost always connect > > over my phone's hotspot. > > > > I will definitely be learning this! > > > > Thanks! > > > > Chris Bennett > > > > > > > -- > Kindest regards, > Tom Smyth. > -- - Past hissy-fits are not a predictor of future hissy-fits. Nick Holland(06 Dec 2005) To announce that there must be no criticism of the president, or that we are to stand by the president, right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public. - Theodore Roosevelt(1918)
reviewing what is available (was Re: Faking the same LAN over the Internet
On 04-01 12:47, Chris Bennett wrote: > On Wed, Apr 01, 2020 at 07:01:15AM -0600, Diana Eichert wrote: > > have you considered looking at native OpenBSD tools? > > https://man.openbsd.org/egre.4 > > Wow! I had no idea about this. I think you know more about obsd than I do, but in case it's useful to anyone else: I didn't know about egre(4) either, but I am trying to go gradually thru the process of seeing "what is there" by browsing to man.openbsd.org, putting a single period (".") in the search field, choose a section, click apropos, and methodically reading. Lots of good stuff and some surprises (for me at least) in there. If I hadn't done that once with debian (years ago), I wouldn't know about touch(1), for example, and a bunch of other things. Again, you know more than I, so no insult intended. :) -- Luke Call Peace, tech, help, ideas: http://lukecall.net (Updated 2020-03-13. Feedback welcome; https is on todo list.)
Re: Faking the same LAN over the Internet
Hi Chris, Dianna, Gre is great and fast and a hell of a lot faster than OpenVPN... However and it is a Big However... Gre does not typically work Across NATs L2 GRE tunnel interfaces u can run on OpenBSD include eoip(4) egre(4), etherip(4) On Wed, 1 Apr 2020 at 17:58, Chris Bennett wrote: > > On Wed, Apr 01, 2020 at 07:01:15AM -0600, Diana Eichert wrote: > > have you considered looking at native OpenBSD tools? > > > > https://man.openbsd.org/egre.4 > > > > Wow! I had no idea about this. > The manual page seems to be very clear, too. > > I have 2 servers at different ISPs and from home I almost always connect > over my phone's hotspot. > > I will definitely be learning this! > > Thanks! > > Chris Bennett > > -- Kindest regards, Tom Smyth.
Re: Faking the same LAN over the Internet
On Wed, Apr 01, 2020 at 07:01:15AM -0600, Diana Eichert wrote: > have you considered looking at native OpenBSD tools? > > https://man.openbsd.org/egre.4 > Wow! I had no idea about this. The manual page seems to be very clear, too. I have 2 servers at different ISPs and from home I almost always connect over my phone's hotspot. I will definitely be learning this! Thanks! Chris Bennett
Re: Faking the same LAN over the Internet
have you considered looking at native OpenBSD tools? https://man.openbsd.org/egre.4
Re: Faking the same LAN over the Internet
Use OpenVPN in bridged mode or if it's too complicated for you to set it up you can give a shot for Hamachi which was made for exactly this. There is one caveat regarding using the bridged mode in openvpn that there is more packet overhead than if you would be using the routed tun network but I guess it will be more than enough for your application. Other thing can be broadcast storm some misbehavior of bridge interfaces (like sometimes your FW thinks the packet come in on br0 sometimes on tap0), mtu problems that is also why ovpn team wants to remove the bridged mode so enjoy it while you can :) ‐‐‐ Original Message ‐‐‐ On Tuesday, March 31, 2020 11:34 AM, Chris Rawnsley wrote: > In the period of The Great Isolation, a friend and I wish to play > a game that has LAN-only multiplayer. We, however, live in different > locations and, more importantly, different LANs. An often cited > approach to solving this is to set up a VPN and connect the two > devices to it. This requires that both devices run a VPN client > that connects to the third device that manages the connection. And > then, hey presto! You have a "LAN". > > The complication I have found is that we are both using a Nintendo > Switch (NinSw) and this device comes without a VPN client. Initially, > I thought it would be possible to use a VPN client on a computer > which was wired in over Ethernet and then share the wireless to the > NinSw. This setup would be mirrored on the other side. The diagram > below tries to make this clearer. Search for "Where my thinking" > to skip over this. > > || > | | .. > | | ) ) ) |:| |:| > || `' .---/::\\ [NinSw] | [laptop] | [VPN] | > | \\ / | _\\__/_`-| ... |[uplink]// mirrored on the other side > `` > [gateway] > > Where my thinking comes stuck is how the wired connection is shared > to the NinSw over wireless. The laptop, running MacOS in the case > of my friend, will setup its own NAT to isolate the wireless > connections from the uplink. The NinSw is then unable to receive > an IP from the VPN and therefore not appear as part of the same > network. > > Ignoring the particular case of how "Internet Connection Sharing" > works on MacOS, would it be possible to setup some "VPN bridge" > (yes, I made that up) on OpenBSD where it handles the details of > the VPN connection but forwards the IP address to another device? > > If anyone has more insight into this and can point me in the right > direction I would be grateful. Similarly if there's been a mistake > in my thinking please point it out as that could help too. > > > - > > Chris Rawnsley > > P.S. the game in question is Civilization 6 and, yes, they very > annoyingly restricted it to LAN-only multiplayer...
Re: Faking the same LAN over the Internet
Sorry for top posting, Would https://openvpn.net/vpn-server-resources/site-to-site-layer-2-bridging-using-openvpn-access-server/ solve your problem? Regards, Erik Op 31-3-2020 om 11:34 schreef Chris Rawnsley: > In the period of The Great Isolation, a friend and I wish to play > a game that has LAN-only multiplayer. We, however, live in different > locations and, more importantly, different LANs. An often cited > approach to solving this is to set up a VPN and connect the two > devices to it. This requires that both devices run a VPN client > that connects to the third device that manages the connection. And > then, hey presto! You have a "LAN". > > The complication I have found is that we are both using a Nintendo > Switch (NinSw) and this device comes without a VPN client. Initially, > I thought it would be possible to use a VPN client on a computer > which was wired in over Ethernet and then share the wireless to the > NinSw. This setup would be mirrored on the other side. The diagram > below tries to make this clearer. Search for "Where my thinking" > to skip over this. > > > || > || .. > || ) ) ) |:| |:| > || `' > .---/::\[NinSw] > | [laptop] > | >[VPN] > | > | \/ > | _\__/_ > `-| ... |[uplink]// mirrored on the other side > `` > [gateway] > > > Where my thinking comes stuck is how the wired connection is shared > to the NinSw over wireless. The laptop, running MacOS in the case > of my friend, will setup its own NAT to isolate the wireless > connections from the uplink. The NinSw is then unable to receive > an IP from the VPN and therefore not appear as part of the same > network. > > Ignoring the particular case of how "Internet Connection Sharing" > works on MacOS, would it be possible to setup some "VPN bridge" > (yes, I made that up) on OpenBSD where it handles the details of > the VPN connection but forwards the IP address to another device? > > If anyone has more insight into this and can point me in the right > direction I would be grateful. Similarly if there's been a mistake > in my thinking please point it out as that could help too. > > > -- > Chris Rawnsley > > P.S. the game in question is Civilization 6 and, yes, they very > annoyingly restricted it to LAN-only multiplayer... > pEpkey.asc Description: application/pgp-keys
Re: Faking the same LAN over the Internet
On Tue, Mar 31, 2020 at 10:34:39AM +0100, Chris Rawnsley wrote: > In the period of The Great Isolation, a friend and I wish to play > a game that has LAN-only multiplayer. We, however, live in different > locations and, more importantly, different LANs. An often cited > approach to solving this is to set up a VPN and connect the two > devices to it. This requires that both devices run a VPN client > that connects to the third device that manages the connection. And > then, hey presto! You have a "LAN". > > The complication I have found is that we are both using a Nintendo > Switch (NinSw) and this device comes without a VPN client. Initially, > I thought it would be possible to use a VPN client on a computer > which was wired in over Ethernet and then share the wireless to the > NinSw. This setup would be mirrored on the other side. The diagram > below tries to make this clearer. Search for "Where my thinking" > to skip over this. > > > || > || .. > || ) ) ) |:| |:| > || `' > .---/::\[NinSw] > | [laptop] > | >[VPN] > | > | \/ > | _\__/_ > `-| ... |[uplink]// mirrored on the other side > `` > [gateway] > > > Where my thinking comes stuck is how the wired connection is shared > to the NinSw over wireless. The laptop, running MacOS in the case > of my friend, will setup its own NAT to isolate the wireless > connections from the uplink. The NinSw is then unable to receive > an IP from the VPN and therefore not appear as part of the same > network. > > Ignoring the particular case of how "Internet Connection Sharing" > works on MacOS, would it be possible to setup some "VPN bridge" > (yes, I made that up) on OpenBSD where it handles the details of > the VPN connection but forwards the IP address to another device? > > If anyone has more insight into this and can point me in the right > direction I would be grateful. Similarly if there's been a mistake > in my thinking please point it out as that could help too. I'm using OpenBSD IPSec to connect two LAN's (at two locations, with different ISP's). Have a look at this article: https://openbsd.fandom.com/wiki/OpenBSD_IPSec_made_easy This setup has worked flawlessly for me for years now, only occasionally broken whenever one or both of the ISP's decide to change my dynamically assigned IP's, upon which I'll have to manually rename one file and restart the IPSec service. (It happens so seldom that I haven't bothered looking into how to automate it.) This setup may require both you and your friend to have an internet facing OpenBSD gateway situated at/in front of [uplink]. Nice ASCII btw. Cheers, Erling > > -- > Chris Rawnsley > > P.S. the game in question is Civilization 6 and, yes, they very > annoyingly restricted it to LAN-only multiplayer...