Re: Simple way to securely access remote machine that's behind a NAT?
acr...@gmail.com (Andy Ruhl) writes: >On Tue, Sep 25, 2018 at 8:49 AM David Young wrote: >> I added UDP encapsulation to gre(4) in NetBSD specifically to pierce NAT >> firewalls, however, I don't know if Linux also has a UDP encapsulation >> for GRE. I haven't seen a Linux kernel implementation of RFC8086 (GRE in UDP), but there is the Multi-Path Tunnel project on github that implements it including the draft multipath extension for it. >This is off topic, but it was alluded to earlier: >I think it's possible for a router to forward an IP protocol inward >via NAT, such as GRE? Or am I mistaken? NAT sessions are usually only created dynamically for outgoing traffic and since GRE has no session boundaries it's likely to be timed out then. But a static NAT rule should be fine. But then, some NAT routers will just drop GRE. -- -- Michael van Elst Internet: mlel...@serpens.de "A potential Snark may lurk in every tree."
Re: Simple way to securely access remote machine that's behind a NAT?
On Tue, Sep 25, 2018 at 8:49 AM David Young wrote: > I added UDP encapsulation to gre(4) in NetBSD specifically to pierce NAT > firewalls, however, I don't know if Linux also has a UDP encapsulation > for GRE. That's pretty cool. I will try it at some point. That plus a private IP address on both sides would solve this pretty cleanly. This is off topic, but it was alluded to earlier: I think it's possible for a router to forward an IP protocol inward via NAT, such as GRE? Or am I mistaken? Andy
Re: Simple way to securely access remote machine that's behind a NAT?
Thanks everybody for help. I really liked the .onion setup idea, but I ended up using openvpn. The documentation is very good, and the relevant page for me was: https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html What is fantastic about openvpn is it can be used without knowing much, and it 'does the right thing' and at the same time, allows apparently infinite flexibility for more sophisticated setups. The simple method described at that URL does require a single secret key be shared between client and server. I had to add "--cipher AES-256-CBC" on both ends, as the default seemed to complain otherwise. The additional 4 lines of config to do keep-alive works really well, too (described at that URL). Thanks again, awesome NetBSD community! -Mike On Tue, Sep 25, 2018 at 8:49 AM David Young wrote: > On Tue, Sep 25, 2018 at 03:04:56PM +0545, Brook Milligan wrote: > > Just curious, could one also use either gre or gif to create a tunnel or > does NAT mess that up? > > I added UDP encapsulation to gre(4) in NetBSD specifically to pierce NAT > firewalls, however, I don't know if Linux also has a UDP encapsulation > for GRE. > > Dave > > -- > David Young > dyo...@pobox.comUrbana, IL(217) 721-9981 >
