Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[R0b0t1]

On Saturday, April 7, 2018, Mick  wrote:
> On Friday, 6 April 2018 18:55:18 BST gevisz wrote:
>> 2018-04-06 2:10 GMT+03:00 Grant Taylor :
>
>> > I'd encourage your friend to check out the VPN capabilities built into
>> > Windows.  He may need to install / configure (R)RAS to enable the
>> > features.
>>
>> Thank you for your advice. He is currently trying to set up RAS with SSTP
>> but RAS client so far cannot log into the server, while a third party VPN
>> just works (until the remote computer hangs for so far unknown reason
that
>> even may not be connected with the VPN server).
>>
>> We will continue to experiment to find the reason.
>
> Typical problems incurred with SSTP are relating to username
authentication
> and TLS certificate selection/configuration.
>
> SSTP authenticates OS users, not devices/PCs.  So use the *same* username
and
> passwd on all the OS login, SSTP VPN & RRAS wizards.
>
> The TLS server certificate has to contain a DN which will resolve to the
IP of
> the server in question, or better use the IP address both in the CN and
the
> X509v3 Subject Alternative Name fields.
>
> In addition, the SSTP certificate binding has to use the same TLS
certificate
> with that selected for RRAS and this is not always obvious (for SSTP at
> least).  You can use MSWindow's 'netsh ras show sstp-ssl-cert' command to
show
> the TLS certificate in use by SSTP and compare this with the RRAS
certificate
> selection.
>
> It is a bit of a faff, but that's what you get with SSTP.  The benefit of
it
> is that it is integrated with MSWindows authentication mechanisms and
network
> stack, allowing easy enterprise wide configuration and management.  For
your
> friend's one off VPN set up, OpenVPN, or SoftEther VPN is probably a
better
> MSWindows based option:
>

Companies which need user management tend to just set up an intranet and
provide VPN access to it which is likely not going to be a Microsoft
technology. There is no benefit to integrating OS authentication with your
transport security. If you contacted a Windows-focused business for your
administration they may set such a system up, but only because they don't
know any better.

Evaluating Microsoft software should be done extremely carefully. It is
very easy to waste time, ignoring other concerns. You may get something
working but it will not be easy to administrate or scale.

Microsoft's current revenue may be largely from customers using the sunk
cost fallacy.

Cheers,
R0b0t1

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Mick]

On Friday, 6 April 2018 18:55:18 BST gevisz wrote:
> 2018-04-06 2:10 GMT+03:00 Grant Taylor :

> > I'd encourage your friend to check out the VPN capabilities built into
> > Windows.  He may need to install / configure (R)RAS to enable the
> > features.
> 
> Thank you for your advice. He is currently trying to set up RAS with SSTP
> but RAS client so far cannot log into the server, while a third party VPN
> just works (until the remote computer hangs for so far unknown reason that
> even may not be connected with the VPN server).
> 
> We will continue to experiment to find the reason.

Typical problems incurred with SSTP are relating to username authentication 
and TLS certificate selection/configuration.

SSTP authenticates OS users, not devices/PCs.  So use the *same* username and 
passwd on all the OS login, SSTP VPN & RRAS wizards.

The TLS server certificate has to contain a DN which will resolve to the IP of 
the server in question, or better use the IP address both in the CN and the 
X509v3 Subject Alternative Name fields.

In addition, the SSTP certificate binding has to use the same TLS certificate 
with that selected for RRAS and this is not always obvious (for SSTP at 
least).  You can use MSWindow's 'netsh ras show sstp-ssl-cert' command to show 
the TLS certificate in use by SSTP and compare this with the RRAS certificate 
selection. 

It is a bit of a faff, but that's what you get with SSTP.  The benefit of it 
is that it is integrated with MSWindows authentication mechanisms and network 
stack, allowing easy enterprise wide configuration and management.  For your 
friend's one off VPN set up, OpenVPN, or SoftEther VPN is probably a better 
MSWindows based option:

http://www.softether.org/
https://github.com/SoftEtherVPN/SoftEtherVPN

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[R0b0t1]

On Fri, Apr 6, 2018 at 12:58 PM, Mick  wrote:
> On Friday, 6 April 2018 00:10:00 BST Grant Taylor wrote:
>> On 04/05/2018 03:51 AM, gevisz wrote:
>> > Yes, the Host is running Windows.
>>
>> Seeing as how both the ""Host and the ""Client are running Windows, I
>> would think seriously about trying to leverage Windows' built in VPN
>> capabilities.
>>
>> The following things come to mind:
>>
>>   - (raw) IPSec - this might be somewhat challenging b/c reasons
>
> I think you mean IKEv2 + IPSec?
>
> IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the
> tunnel itself.  The tunnel is operating at layer 2, so TCP/UDP/ICMP will all
> be encrypted when sent through through the IPSec encrypted tunnel.
>
>
>>   - L2TP+IPSec - probably less challenging b/c of wizards
>
> This is using L2TP for encapsulating the frames + IKEv1 for secure key
> exchange + IPsec for encryption of the L2TP tunnel.
>
>
>>   - PPTP - just don't unless you haveto
>
> Well said:
>
> https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security
>
> It is an obsolete method with poor security.  I would not use it under any
> circumstances, unless security is of no importance.
>
>
>> I'd encourage your friend to check out the VPN capabilities built into
>> Windows.  He may need to install / configure (R)RAS to enable the features.
>
> As I mentioned before, there is also IKEv2+IPSec, which allows the client to
> roam between networks without dropping the connection.
>
> Finally, there is SSTP encrypting PPP frames within TLS.  I don't know why one
> would use this instead of OpenVPN, except that it comes as part of the
> MSWindows package, while OpenVPN has to be installed separately.
>
>
>> In my experience, using native features that come from the software
>> vendor is often simpler to maintain long term.
>
> +1
>
> They are also easier to set up initially, because both MSWindows peers will
> use the same combo of encryption suites, ciphers, etc.

You mean the same horribly insecure ciphers? The built in options are
so weak that I am not aware of anyone seriously using them; most
setups tunnel Windows technologies like RDP (which may sometimes
insist on being set up with encryption) over Linux based technologies.

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Grant Taylor]

On 04/06/2018 04:51 PM, Mick wrote:
Domestic grade routers which offer IKEv1, typically use PSK for 
authentication, not TLS certificates.  The PSK is what IKE uses in 
userspace to establish a secure connection with authentication between 
peers for the purpose of exchanging the IPSec keys to encrypt the 
tunnel with.


ACK  All of that makes sense.  Thank you for clarifying / confirming 
what I suspsected was the case.


I don't /remember/ IKE being involved in what I was doing.  But there's 
a chance that it was happening without me being aware of it.


If you check the 2nd sentence in the wiki page below, it confirms 
MSWindows L2TP/IPSec uses IKEv1 to exchange the IPSec keys:


https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server#IPsec


I don't remember L2TP being involved either.  But that doesn't mean that 
it wasn't.


If memory serves (and it often does not) I was manually configuring 
IPSec policies via a GPEdit snapin.  It was extremly low level and 
obtuse to configure.


OpenSWAN was forked into LibreSWAN and FreeSWAN is now called StrongSWAN. 
Anyway, part of the IKEv2 standard is to offer support for mobile and 
multihomed users (MOBIKE).


Hum.  I've not payed attention to *SWAN as I've not needed to use it.  I 
also thought that IPSec was a LOT more complicated than other 
technologies.  Plus, I was dealing with more road warrior type things 
than site-to-site.  (It's my understanding that IPSec is (or was) not 
really friendly for mobile.)


Although IKE operates in userspace, the IPSec stack is in kernelspace 
and its performance superior to userspace VPN technologies.


My understanding is that IKE was just used to boot strap and maintain 
the in kernl IPSec.  Thus IKE could easily run in user space.


Apparently Wireguard is even more efficient than the IPSec's xfrm/netkey, 
but I have not tried it out yet.


I've not messed with Wireguard yet.  But it's on my list if I ever need 
/ want to mess with VPNs.




--
Grant. . . .
unix || die

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Mick]

On Friday, 6 April 2018 19:20:09 BST Grant Taylor wrote:
> On 04/06/2018 11:58 AM, Mick wrote:
> > I think you mean IKEv2 + IPSec?
> 
> I don't remember IKE involved the last time I had to manually
> set up an IPSec connection between two Windows systems (or Windows and a
> Netgear router).  I think it was /completely/ manual and PSK.

Domestic grade routers which offer IKEv1, typically use PSK for 
authentication, not TLS certificates.  The PSK is what IKE uses in userspace 
to establish a secure connection with authentication between peers for the 
purpose of exchanging the IPSec keys to encrypt the tunnel with.  If you check 
the 2nd sentence in the wiki page below, it confirms MSWindows L2TP/IPSec uses 
IKEv1 to exchange the IPSec keys:

https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server#IPsec


> > IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the
> > tunnel itself.  The tunnel is operating at layer 2, so TCP/UDP/ICMP will
> > all be encrypted when sent through through the IPSec encrypted tunnel.
> 
> I remember doing a little bit with IKE 10+ years ago back when it was
> OpenSWAN / FreeSWAN.

OpenSWAN was forked into LibreSWAN and FreeSWAN is now called StrongSWAN.  
Anyway, part of the IKEv2 standard is to offer support for mobile and 
multihomed users (MOBIKE).

Although IKE operates in userspace, the IPSec stack is in kernelspace and its 
performance superior to userspace VPN technologies.  Apparently Wireguard is 
even more efficient than the IPSec's xfrm/netkey, but I have not tried it out 
yet.

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Grant Taylor]

On 04/06/2018 11:58 AM, Mick wrote:

I think you mean IKEv2 + IPSec?


I don't remember IKE involved the last time I had to manually 
set up an IPSec connection between two Windows systems (or Windows and a 
Netgear router).  I think it was /completely/ manual and PSK.


IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the 
tunnel itself.  The tunnel is operating at layer 2, so TCP/UDP/ICMP will 
all be encrypted when sent through through the IPSec encrypted tunnel.


I remember doing a little bit with IKE 10+ years ago back when it was 
OpenSWAN / FreeSWAN.


This is using L2TP for encapsulating the frames + IKEv1 for secure key 
exchange + IPsec for encryption of the L2TP tunnel.


ACK


Well said:


*chuckle*


https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security

It is an obsolete method with poor security.  I would not use it under 
any circumstances, unless security is of no importance.


Agreed.

As I mentioned before, there is also IKEv2+IPSec, which allows the client 
to roam between networks without dropping the connection.


Intriguing.  I've never considered IPSec with a road warrior, much less 
an established connection with a changing IP address.  I would have been 
much more likely to look at OpenVPN or Wireguard or OpenSSH.


Finally, there is SSTP encrypting PPP frames within TLS.  I don't know 
why one would use this instead of OpenVPN, except that it comes as part 
of the MSWindows package, while OpenVPN has to be installed separately.


SSTP is a new one on me.


+1

They are also easier to set up initially, because both MSWindows peers 
will use the same combo of encryption suites, ciphers, etc.  Half of 
the pain of getting MSWindows to work with a Linux VPN gateway is often 
finding how to configure the cipher, hash and X509v3 extensions of a 
TLS certificate in a way that MSWindows will not barf;  e.g. IIRC, last 
time I looked at a Windows 7 IKEv2/IPSec VPN, the TLS certificates would 
only accept AES128 keys and SHA1.  Anything more onerous would not be 
accepted by the MSoft TLS key manager.


Agreed.



--
Grant. . . .
unix || die

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[gevisz]

2018-04-06 1:45 GMT+03:00 Bill Kenworthy :
> On 05/04/18 22:51, gevisz wrote:
>> 2018-04-05 16:14 GMT+03:00 Bill Kenworthy :
>>> On 05/04/18 18:28, gevisz wrote:
 2018-04-05 12:51 GMT+03:00 gevisz :
> 2018-04-05 1:02 GMT+03:00 Grant Taylor 
> :
> On 04/04/2018 02:18 PM, gevisz wrote:
>> Assuming that NAT is in play on OR and IR (worst case), then just about
>> /any/ form of VPN initiating from the outside will be fraught with uphill
>> battles.
> As far as I understand, the connection would be initiated from the Host.
 A small correction after a call to the friend: the VPN server should
 be installed on the Client and the VPN client should be installed on the 
 Host.

 Becaule of the same reason it is impossible to set up VPN server on the IR.

 Moreover, IR is too simple to use it for setting up any server other then 
 NAT
 and, may be, port-forwarding.

>>> Might need a third party vpn server in the cloud that both ends connect
>>> to as clients and route between?  A stunserver like VoIP uses will help
>>> there.
>>>
>>> Also try a proxytunnel/stunnel using port 443 and use that to bounce
>>> openvpn or a putty (ssh) port tunnel through the networks https proxy.
>>> Inefficient but gets ssh, web pages and small downloads through
>>> problematic networks nicely.  Double wrapping in ssl with end-to-end
>>> protection via openvpn takes care of privacy when MITM SSL proxies are
>>> used (yes they exist)   Note that openvpn can be used peer to peer
>>> though client to server is a bit more secure.
>> Thank you for the information.
>>
>>>  In my setup, the client is windows and the server is gentoo on a dynamic 
>>> IP.
>> It is strange because just today I have learned that VPN server should
>> be set on the host with static IP visible the in Internet. Otherwise a
>> VPN-client
>> has no way to connect to the VPN-server.
>>
> I am referring to putty as the windows client (my view of the process) -
> the vpn client is proxytunnel on windows connecting out to the server
> which is an external stunnel on gentoo from your point of view.  The
> secret is getting the two to talk to each other and thats where it gets
> interesting - a method I used in the past is internally have a script
> scraping a webpage (external) and when it gets a change it wants,
> initiate a connection (IP number change for a permanaent link on a
> dynamic IP, or other instruction - actually used a html comment on my
> home web server index page).  A more common method is to initiate a test
> connection every few minutes and close/go back to waiting if there is no
> connection.  Zebedee which I used for years as a port tunnel (very good
> and flexible) has a mode where it can initiate connections when there is
> no public visibility.  If both ends are behind a secure gateway/NAT -
> you need a third machine to coordinate the process.

It is too hard for me to understand, but I have got the idea of letting
some script to periodically read the content of a webpage and initiate
the connection if the content of the webpage say so.

I let my friend to read this.

> If its all too hard, can you drop a raspberry pi trojan on the network
> which gets away from the restrictions running windows?  At the end of
> the day, its up to you and the local admins as to how much funny
> business they will put up with but its just a technical problem in
> moving packets around.
>
> BillK'
>
>

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Mick]

On Friday, 6 April 2018 00:10:00 BST Grant Taylor wrote:
> On 04/05/2018 03:51 AM, gevisz wrote:
> > Yes, the Host is running Windows.
> 
> Seeing as how both the ""Host and the ""Client are running Windows, I
> would think seriously about trying to leverage Windows' built in VPN
> capabilities.
> 
> The following things come to mind:
> 
>   - (raw) IPSec - this might be somewhat challenging b/c reasons

I think you mean IKEv2 + IPSec?

IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the 
tunnel itself.  The tunnel is operating at layer 2, so TCP/UDP/ICMP will all 
be encrypted when sent through through the IPSec encrypted tunnel.


>   - L2TP+IPSec - probably less challenging b/c of wizards

This is using L2TP for encapsulating the frames + IKEv1 for secure key 
exchange + IPsec for encryption of the L2TP tunnel.


>   - PPTP - just don't unless you haveto

Well said:

https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security

It is an obsolete method with poor security.  I would not use it under any 
circumstances, unless security is of no importance.


> I'd encourage your friend to check out the VPN capabilities built into
> Windows.  He may need to install / configure (R)RAS to enable the features.

As I mentioned before, there is also IKEv2+IPSec, which allows the client to 
roam between networks without dropping the connection.

Finally, there is SSTP encrypting PPP frames within TLS.  I don't know why one 
would use this instead of OpenVPN, except that it comes as part of the 
MSWindows package, while OpenVPN has to be installed separately.


> In my experience, using native features that come from the software
> vendor is often simpler to maintain long term.

+1

They are also easier to set up initially, because both MSWindows peers will 
use the same combo of encryption suites, ciphers, etc.  Half of the pain of 
getting MSWindows to work with a Linux VPN gateway is often finding how to 
configure the cipher, hash and X509v3 extensions of a TLS certificate in a way 
that MSWindows will not barf;  e.g. IIRC, last time I looked at a Windows 7 
IKEv2/IPSec VPN, the TLS certificates would only accept AES128 keys and SHA1.  
Anything more onerous would not be accepted by the MSoft TLS key manager.
-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[gevisz]

2018-04-06 2:10 GMT+03:00 Grant Taylor :
> On 04/05/2018 03:51 AM, gevisz wrote:
>>
>> Yes, the Host is running Windows.
>
>
> Seeing as how both the ""Host and the ""Client are running Windows, I would
> think seriously about trying to leverage Windows' built in VPN capabilities.
>
> The following things come to mind:
>
>  - (raw) IPSec - this might be somewhat challenging b/c reasons
>  - L2TP+IPSec - probably less challenging b/c of wizards
>  - PPTP - just don't unless you haveto
>
> I'd encourage your friend to check out the VPN capabilities built into
> Windows.  He may need to install / configure (R)RAS to enable the features.

Thank you for your advice. He is currently trying to set up RAS with SSTP but
RAS client so far cannot log into the server, while a third party VPN just works
(until the remote computer hangs for so far unknown reason that even may not
be connected with the VPN server).

We will continue to experiment to find the reason.

> In my experience, using native features that come from the software vendor
> is often simpler to maintain long term.

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Grant Taylor]

On 04/05/2018 03:51 AM, gevisz wrote:

Yes, the Host is running Windows.


Seeing as how both the ""Host and the ""Client are running Windows, I 
would think seriously about trying to leverage Windows' built in VPN 
capabilities.


The following things come to mind:

 - (raw) IPSec - this might be somewhat challenging b/c reasons
 - L2TP+IPSec - probably less challenging b/c of wizards
 - PPTP - just don't unless you haveto

I'd encourage your friend to check out the VPN capabilities built into 
Windows.  He may need to install / configure (R)RAS to enable the features.


In my experience, using native features that come from the software 
vendor is often simpler to maintain long term.




--
Grant. . . .
unix || die

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Grant Taylor]

On 04/05/2018 08:51 AM, gevisz wrote:
It is strange because just today I have learned that VPN server should 
be set on the host with static IP visible the in Internet. Otherwise a 
VPN-client has no way to connect to the VPN-server.


The static IP is not a strict requirement.  It just greatly simplifies 
things.  —  There are multiple ways to deal with dynamic IPs.


The biggest requiremment is the ability for traffic (from the VPN 
client(s)) to make it into the VPN server.  Ideally the VPN server is 
directly connected to the internet.  It is possible to get many (if not 
most) VPN protocols to work thorugh something like NAT port forwarding 
with proper due dilligence.


The inability to get traffic into the VPN server means that it's a 
non-starter.




--
Grant. . . .
unix || die

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Bill Kenworthy]

On 05/04/18 22:51, gevisz wrote:
> 2018-04-05 16:14 GMT+03:00 Bill Kenworthy :
>> On 05/04/18 18:28, gevisz wrote:
>>> 2018-04-05 12:51 GMT+03:00 gevisz :
 2018-04-05 1:02 GMT+03:00 Grant Taylor :
 On 04/04/2018 02:18 PM, gevisz wrote:
> Assuming that NAT is in play on OR and IR (worst case), then just about
> /any/ form of VPN initiating from the outside will be fraught with uphill
> battles.
 As far as I understand, the connection would be initiated from the Host.
>>> A small correction after a call to the friend: the VPN server should
>>> be installed on the Client and the VPN client should be installed on the 
>>> Host.
>>>
>>> Becaule of the same reason it is impossible to set up VPN server on the IR.
>>>
>>> Moreover, IR is too simple to use it for setting up any server other then 
>>> NAT
>>> and, may be, port-forwarding.
>>>
>> Might need a third party vpn server in the cloud that both ends connect
>> to as clients and route between?  A stunserver like VoIP uses will help
>> there.
>>
>> Also try a proxytunnel/stunnel using port 443 and use that to bounce
>> openvpn or a putty (ssh) port tunnel through the networks https proxy.
>> Inefficient but gets ssh, web pages and small downloads through
>> problematic networks nicely.  Double wrapping in ssl with end-to-end
>> protection via openvpn takes care of privacy when MITM SSL proxies are
>> used (yes they exist)   Note that openvpn can be used peer to peer
>> though client to server is a bit more secure.
> Thank you for the information.
>
>>  In my setup, the client is windows and the server is gentoo on a dynamic IP.
> It is strange because just today I have learned that VPN server should
> be set on the host with static IP visible the in Internet. Otherwise a
> VPN-client
> has no way to connect to the VPN-server.
>
I am referring to putty as the windows client (my view of the process) -
the vpn client is proxytunnel on windows connecting out to the server
which is an external stunnel on gentoo from your point of view.  The
secret is getting the two to talk to each other and thats where it gets
interesting - a method I used in the past is internally have a script
scraping a webpage (external) and when it gets a change it wants,
initiate a connection (IP number change for a permanaent link on a
dynamic IP, or other instruction - actually used a html comment on my
home web server index page).  A more common method is to initiate a test
connection every few minutes and close/go back to waiting if there is no
connection.  Zebedee which I used for years as a port tunnel (very good
and flexible) has a mode where it can initiate connections when there is
no public visibility.  If both ends are behind a secure gateway/NAT -
you need a third machine to coordinate the process.

If its all too hard, can you drop a raspberry pi trojan on the network
which gets away from the restrictions running windows?  At the end of
the day, its up to you and the local admins as to how much funny
business they will put up with but its just a technical problem in
moving packets around.

BillK'

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[gevisz]

2018-04-05 19:29 GMT+03:00 Grant Taylor :
> On 04/05/2018 03:51 AM, gevisz wrote:
>>
>> Yes. And the Client also has static IP. Moreover, both OR and IR have
>> static IPs from the inside. So, the Host can make a connection request to
>> the Client.
>
> With the client having a static IP, things become a LOT simpler.  Simply
> flip things around and have the ""Client be the VPN server and
> the ""Host be the VPN client.

Yes, you are right. It was my misunderstanding of the situation.
The VPN server was initially on outer computer with a static IP,
and on the computer inside the remoted local network was a VPN client.

I have corrected this a bit later in this thread, after a call to the friend.

I even wanted to write that the Host and Client notations should be swapped
but finally decided that this would lead to the mess.

> This REALLY SIGNIFICANTLY simplifies things.
>
>> The Host works as a remoted server and phisical access to it is costy. All
>> administrating of the Host should be done through the Client. That is the
>> reason for the need of VPN.
>
> I sort of wonder what services the server is offering if it can't be
> readily accessed from the outside world.

It makes requests to the other computers in the Internet and saves
the responses. (The same does the computer on the other end of
the scheme. The two remoted servers doing the same job are needed
for redundancy, just in case one of them cannot connect to the Internet
because the blackout, which happens quite often here.)

> Please share a summary of what you end up doing so that others can
> beneift from searching archives.  ;-)

So far, my friend set a newer version of its initial VPN server and client.

The correct scheme looks as follows:
(Administrator) - (VPN host on Windows computer, static IP) <--> (ISP) <-->
   <--> (Internet) <--> (static IP, [outer] router of another ISP,
static IP) <-->
   <--> (dynamic IP, inner router, static IP in a remoted [local] network) <-->
   <--> (static IP in the remoted [local] network, VPN client on
Windows computer in the remoted [local] network)

After starting, the VPN client automatically initiates connection to
the VPN server and
reinitiates it every time when the conection is lost. So, the
connection became permanent.

The initial problem was that, when the computer with the VPN server
loses connection
to the Internet, the VPN client hangs the "computer in the remoted
[local] network"
(in my view, by constantly trying to reconnect to the VPN server, so my initial
recomendation was to increase the time interval between the attempts
to reconnect.)

Currently, the Administrator set a newer version of its initial VPN
server and client
and plays with the parameters. If it won't help, he will try another
VPN server and
client on Windows. If that won't help as well, he is planning to set a
VPN client into
a virtual machine run on "Windows computer in remoted [local] network".

As far as a VPN client, in general, does not need graphical
evironment, it would be
expedient to run a Linux server inside the said virtual machine
(instead of another Windows).

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Grant Taylor]

On 04/05/2018 03:51 AM, gevisz wrote:
Yes. And the Client also has static IP. Moreover, both OR and IR have 
static IPs from the inside. So, the Host can make a connection request 
to the Client.


With the client having a static IP, things become a LOT simpler.  Simply 
flip things around and have the ""Client be the VPN server and the 
""Host be the VPN client.


This REALLY SIGNIFICANTLY simplifies things.

The Host works as a remoted server and phisical access to it is costy. 
All administrating of the Host should be done through the Client. 
That is the reason for the need of VPN.


I sort of wonder what services the server is offering if it can't be 
readilyi accessed from the outside world.  But there are a many 
different things that it can be doing locally.  I digress.



What sort of


Sorry, but I do know nothing about different sorts of NAT.


I seem to have been interrupted during the qeustion that I was asking. 
Not that I remember it now.  Sorry for the confusion.



Yes, the Host is running Windows.


In light of the client's static IP, that just means that you need to use 
a VPN that has a /client/ that will run on Windows.  (I suspect this 
simplifies things.)


I agree. The first attempt that will be done is to try to use a different 
VPN server on Windows Host directly.


I'd abandon the idea of putting the VPN server on the Windows host. 
Instead, focus on putting the VPN server on the ""Client outside with a 
static IP.



As far as I understand, the connection would be initiated from the Host.


That is what you want.

As to the third party VPN services, we would like to avoid them. 
The Client is run all the time and the problem arise only when it loses 
the Internet connection.


I understand wanting to avoid VPN services.  I was referring to renting 
a Virtual Private Server and running your own VPN service.


But since the ""Client has a static IP, you don't need the VPS.

Thank you for your recomendations. I just pass them to the friend of mine 
(so that not to dig into the details .


You're welcome.

Good luck.

Please share a summary of what you end up doing so that others can 
beneift from searching archives.  ;-)




--
Grant. . . .
unix || die

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[gevisz]

2018-04-05 16:14 GMT+03:00 Bill Kenworthy :
> On 05/04/18 18:28, gevisz wrote:
>> 2018-04-05 12:51 GMT+03:00 gevisz :
>>> 2018-04-05 1:02 GMT+03:00 Grant Taylor :
>>> On 04/04/2018 02:18 PM, gevisz wrote:
 Assuming that NAT is in play on OR and IR (worst case), then just about
 /any/ form of VPN initiating from the outside will be fraught with uphill
 battles.
>>> As far as I understand, the connection would be initiated from the Host.
>> A small correction after a call to the friend: the VPN server should
>> be installed on the Client and the VPN client should be installed on the 
>> Host.
>>
>> Becaule of the same reason it is impossible to set up VPN server on the IR.
>>
>> Moreover, IR is too simple to use it for setting up any server other then NAT
>> and, may be, port-forwarding.
>>
> Might need a third party vpn server in the cloud that both ends connect
> to as clients and route between?  A stunserver like VoIP uses will help
> there.
>
> Also try a proxytunnel/stunnel using port 443 and use that to bounce
> openvpn or a putty (ssh) port tunnel through the networks https proxy.
> Inefficient but gets ssh, web pages and small downloads through
> problematic networks nicely.  Double wrapping in ssl with end-to-end
> protection via openvpn takes care of privacy when MITM SSL proxies are
> used (yes they exist)   Note that openvpn can be used peer to peer
> though client to server is a bit more secure.

Thank you for the information.

>  In my setup, the client is windows and the server is gentoo on a dynamic IP.

It is strange because just today I have learned that VPN server should
be set on the host with static IP visible the in Internet. Otherwise a
VPN-client
has no way to connect to the VPN-server.

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[gevisz]

2018-04-05 14:51 GMT+03:00 Mick :
>
> Your double NAT-ing arrangement hides the host twice over from the Internet.
> In addition, some of the domestic ISP providers also offer NAT'ed connections
> for their users.

Our outer router with static IP is actually the router (and gateway)
of the Internet service provider. So, no "in addition". :)

The inner router with dinamyc IP is the router (and gateway) of the local
(home) network.

> Some block specific ports/protocols for 'security purposes'
> and require you to upgrade your service contract for unfettered
> Internet connectivity.

We have quite a lot of ISPs here. So, the ISP that risks to force
"contract for unfettered Internet connectivity" will lose its client
and gets nothing in return. Moreover, this unsatisfied (and
technically savvy) client can easily persuade his neighbours
to abandon this ISP as well...

> Assuming none of the above ISP restrictions apply in your case, you have the
> option of forwarding connections to the host through the IR.  Single NAT e.g.
> between OR and IR is fine and NAT-T can be configured in most VPN technologies
> to address this.  If you can configure the IR to expose the host via DMZ, or
> forward specific ports/protocols from OR to the host directly then most VPN
> technologies should work in principle.

I think that my friend knows about this. But thank you anyway. :)

> OpenVPN/SSTP is straight forward and for a single host (as opposed to a
> gateway) there's no benefit in trying to implement more complicated kernel
> based VPNs.  For stronger OpenVPN crypto configuration have a look here:
>
> https://bettercrypto.org/static/applied-crypto-hardening.pdf

An interesting link. Thank you.

> but your security options will be limited by what MSWindows offers/allows.

It is ok, as far as the only who uses this computer is a former Windows sysadmin
and nobody is really motivated to break in. :)

> Post with particulars when you get that far and we can troubleshoot it

Ok, thank you.

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Bill Kenworthy]

On 05/04/18 18:28, gevisz wrote:
> 2018-04-05 12:51 GMT+03:00 gevisz :
>> 2018-04-05 1:02 GMT+03:00 Grant Taylor :
>> On 04/04/2018 02:18 PM, gevisz wrote:
>>> Assuming that NAT is in play on OR and IR (worst case), then just about
>>> /any/ form of VPN initiating from the outside will be fraught with uphill
>>> battles.
>> As far as I understand, the connection would be initiated from the Host.
> A small correction after a call to the friend: the VPN server should
> be installed
> on the Client and the VPN client should be installed on the Host.
>
> Becaule of the same reason it is impossible to set up VPN server on the IR.
>
> Moreover, IR is too simple to use it for setting up any server other then NAT
> and, may be, port-forwarding.
>
Might need a third party vpn server in the cloud that both ends connect
to as clients and route between?  A stunserver like VoIP uses will help
there.

Also try a proxytunnel/stunnel using port 443 and use that to bounce
openvpn or a putty (ssh) port tunnel through the networks https proxy. 
Inefficient but gets ssh, web pages and small downloads through
problematic networks nicely.  Double wrapping in ssl with end-to-end
protection via openvpn takes care of privacy when MITM SSL proxies are
used (yes they exist)   Note that openvpn can be used peer to peer
though client to server is a bit more secure.  In my setup, the client
is windows and the server is gentoo on a dynamic IP.  For really
paranoid networks, there are other ways but I have found this handles
most cases which are either my android phone, laptop using openvpn on
locked down wifi networks or ssh (putty) on windows hosts.


BillK

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Mick]

On Thursday, 5 April 2018 11:28:07 BST gevisz wrote:

> A small correction after a call to the friend: the VPN server should
> be installed
> on the Client and the VPN client should be installed on the Host.
> 
> Becaule of the same reason it is impossible to set up VPN server on the IR.
> 
> Moreover, IR is too simple to use it for setting up any server other then
> NAT and, may be, port-forwarding.

Your double NAT-ing arrangement hides the host twice over from the Internet.  
In addition, some of the domestic ISP providers also offer NAT'ed connections 
for their users.  Some block specific ports/protocols for 'security purposes' 
and require you to upgrade your service contract for unfettered Internet 
connectivity.

Assuming none of the above ISP restrictions apply in your case, you have the 
option of forwarding connections to the host through the IR.  Single NAT e.g. 
between OR and IR is fine and NAT-T can be configured in most VPN technologies 
to address this.  If you can configure the IR to expose the host via DMZ, or 
forward specific ports/protocols from OR to the host directly then most VPN 
technologies should work in principle.

OpenVPN/SSTP is straight forward and for a single host (as opposed to a 
gateway) there's no benefit in trying to implement more complicated kernel 
based VPNs.  For stronger OpenVPN crypto configuration have a look here:

https://bettercrypto.org/static/applied-crypto-hardening.pdf

but your security options will be limited by what MSWindows offers/allows.

Post with particulars when you get that far and we can troubleshoot it 
further.
-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[gevisz]

2018-04-05 12:51 GMT+03:00 gevisz :
> 2018-04-05 1:02 GMT+03:00 Grant Taylor :
> On 04/04/2018 02:18 PM, gevisz wrote:
>> Assuming that NAT is in play on OR and IR (worst case), then just about
>> /any/ form of VPN initiating from the outside will be fraught with uphill
>> battles.
>
> As far as I understand, the connection would be initiated from the Host.

A small correction after a call to the friend: the VPN server should
be installed
on the Client and the VPN client should be installed on the Host.

Becaule of the same reason it is impossible to set up VPN server on the IR.

Moreover, IR is too simple to use it for setting up any server other then NAT
and, may be, port-forwarding.

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[gevisz]

2018-04-05 2:03 GMT+03:00 Mick :
> On Wednesday, 4 April 2018 23:02:20 BST Grant Taylor wrote:
>> On 04/04/2018 02:18 PM, gevisz wrote:
>> > A friend of mine asked me to recommend him an open-source VPN-server
>> > for Linux but unfortunately I never used one.
>>
>> That's a loaded ask.
>>
>> > After some googling, I have found OpenVPN but do not know if it is the
>> > best choice that suits his purposes, namely to access local network that
>> > does not have its own fixed IP from the outside.
>>
>> Okay
>
> This may be solvable, if the public facing gateway can be configured to
> forward the requisite ports/protocols to the LAN where the host is located.

If you mean port forfarding from OR to IR and then to the Host, it is impossible
because we have no control over OR.

>> > To be more precise: the local network to be accessed to from the outside
>> > is part of another local network. The latter (outer) network has its
>> > own fixed IP but the former (inner) network gets its IP via DHCP.  So,
>> > it is impossible to connect to a computer in the inner network from the
>> > outside directly.
>>
>> Is this toplolgy accurate?
>>
>> (Client)---(Internet)---(OR)---(IR)---(Host)
>
> The OR can port forward the incoming VPN connection to the IR.  The IR can
> then act as a VPN gateway for the inner LAN.

No, port forwarding from the OR to the IR is impossible.

>> I'm guessing that your friend (client) wants to access something (host)
>> on the inner network.  But to do so requires passing through the
>> Internet through Outer Router (with a static IP on the outside (left))
>> and through the Inner Router (which has a dynamic IP on the outside
>> (left) obtained via DHCP)).  Is that correct?
>>
>> What sort of control does your friend have on the OR & IR?
>>
>> Is NAT in use on either OR or IR?
>>
>> What sort of
>>
>> > The computer in local network to be connected runs Windows.  The said
>> > friend of mine have tried to run some VPN server from Windows but it
>> > somehow hangs the "inner" computer when his "outer" computer has problems
>> > connecting to the Internet.
>>
>> Are you saying that the Host in the diagram above is running Windows?
>> Or are you referring to a different system?
>>
>> > So, now his idea is
>> > 1) to run a virtual machine in the "inner" (Windows) computer,
>> > 2) to install into this virtual machine very lightweight Linux server
>> > only to run in it a VPN-server that should help him to connect from the
>> > outside to the "inner" host (Windows) computer, which has its fixed IP
>> > within the inner local network.
>>
>> The VM may or may not be needed.
>>
>> Assuming that NAT is in play on OR and IR (worst case), then just about
>> /any/ form of VPN initiating from the outside will be fraught with
>> uphill battles.
>>
>> It is likely possible that your friend can reconfigure both OR and IR to
>> forward a port from the Internet to Host.  But that will likely mean
>> that IR will need to have a static IP on it's outside interface.  -  I'm
>> guessing this can't be done or that it would have already been done.
>>
>> I think that your friend's best bet is to have the IR initiate an
>> outbound VPN to something on the Internet that the Client can then
>> initate connections to.  (I'm happily using a $5/month Linode VPS to do
>> this.)
>>
>> There may be ways to make this work without having the Host initiate
>> outbound connections, but I'm not sure what they would be.
>>
>> As for which VPN, a number of people like OpenVPN.  I personally prefer
>> OpenSSH's ability to do a routed (L3) (or bridged L2) VPN.  (I've got
>> SSH exposed already, so it's one less port to expose.)  I see a number
>> of people bragging about WireGuard.  Of course there are the old PPTP /
>> L2TP / IPSec, though I would avoid them for this install.  I'm sure
>> there are a number of other VPN technologies that I'm not thinking of.
>
> PPTP has been insecure for years and best be avoided.
>
> L2TP within IPSec is OK, but check what crypto the MSWindows uses.  Last time
> I looked Win7 was not strong enough.
>
> IKEv2 + IPSec with strong crypto for both, is my personal preference for
> gateway-to-gateway VPNs.
>
> MSWindows also has SSTP (because MSoft had to create their own clone of
> OpenVPN).  I think there's a Linux VPN client which will work with that:
>
>  net-misc/sstp-client
>
> but have never tried it.
>
> Of course, if the above network topology suggested by Grant is correct, then
> you will likely be limited by whatever VPN software comes with IR.
>
> In all cases, make sure you use TLS RSA/SHA2 certificates for both client and
> VPN gateway authentication.
>
> Finally, check out Wireguard.  It was designed from the ground up to overcome
> the complexity of previous VPN solutions.  I have not tried it out yet, but
> will be next time I have to set up a VPN tunnel with a non-legacy router.

Thank you. I will just forward these your adviced to the friend.

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[gevisz]

2018-04-05 1:02 GMT+03:00 Grant Taylor :
> On 04/04/2018 02:18 PM, gevisz wrote:
>>
>> A friend of mine asked me to recommend him an open-source VPN-server for
>> Linux but unfortunately I never used one.
>
> That's a loaded ask.

I just tried to point to the facts that
1) I know much less about VPNs than I had to before asking such a
question for myself,
2) There is a so to say "distributed competence":
The friend of mine is competent mostly in Windows and is a novice
in Linux whereas
I use Linux since the death of MS DOS 6.22 and know almost nothing
about Windows
(if I need some help about Windows, I just call to the friend and
ask where exactly
 I should point and click :).

>> After some googling, I have found OpenVPN but do not know if it is the
>> best choice that suits his purposes, namely to access local network that
>> does not have its own fixed IP from the outside.
>
> Okay
>
>> To be more precise: the local network to be accessed to from the outside
>> is part of another local network. The latter (outer) network has its own
>> fixed IP but the former (inner) network gets its IP via DHCP.  So, it is
>> impossible to connect to a computer in the inner network from the outside
>> directly.
>
> Is this toplolgy accurate?
>
> (Client)---(Internet)---(OR)---(IR)---(Host)
>
> I'm guessing that your friend (client) wants to access something (host) on
> the inner network.  But to do so requires passing through the Internet
> through Outer Router (with a static IP on the outside (left)) and through
> the Inner Router (which has a dynamic IP on the outside (left) obtained via
> DHCP)).  Is that correct?

Yes. And the Client also has static IP. Moreover, both OR and IR have static
IPs from the inside. So, the Host can make a connection request to the Client.
The Host works as a remoted server and phisical access to it is costy.
All administrating of the Host should be done through the Client.
That is the reason for the need of VPN.

> What sort of control does your friend have on the OR & IR?

Absolutely no control on OR and some control on IR. But the phisical access
to the IR is also costy and preferably should be done only once,
during its setup.

> Is NAT in use on either OR or IR?

Yes. On both.

> What sort of

Sorry, but I do know nothing about different sorts of NAT.

>> The computer in local network to be connected runs Windows.  The said
>> friend of mine have tried to run some VPN server from Windows but it somehow
>> hangs the "inner" computer when his "outer" computer has problems connecting
>> to the Internet.
>
> Are you saying that the Host in the diagram above is running Windows? Or are
> you referring to a different system?

Yes, the Host is running Windows.

>> So, now his idea is
>> 1) to run a virtual machine in the "inner" (Windows) computer,
>> 2) to install into this virtual machine very lightweight Linux server only
>> to run in it a VPN-server that should help him to connect from the outside
>> to the "inner" host (Windows) computer, which has its fixed IP within the
>> inner local network.
>
> The VM may or may not be needed.

I agree. The first attempt that will be done is to try to use a different VPN
server on Windows Host directly.

> Assuming that NAT is in play on OR and IR (worst case), then just about
> /any/ form of VPN initiating from the outside will be fraught with uphill
> battles.

As far as I understand, the connection would be initiated from the Host.

> It is likely possible that your friend can reconfigure both OR and IR to
> forward a port from the Internet to Host.  But that will likely mean that IR
> will need to have a static IP on it's outside interface.  -  I'm guessing
> this can't be done or that it would have already been done.

Yes, there is absolutely no control over OR, and IR can only obtain
its IP via DHCP.

> I think that your friend's best bet is to have the IR initiate an outbound
> VPN to something on the Internet that the Client can then initate
> connections to.  (I'm happily using a $5/month Linode VPS to do this.)

Oh, we completely overlooked the possibility to set up VPN server
directly on IR!

Thank you for the idea!

Hopefully, this VPN server won't hang the IR as it did with the Host.

As to the third party VPN services, we would like to avoid them.
The Client is run all the time and the problem arise only when it
loses the Internet connection.

> There may be ways to make this work without having the Host initiate
> outbound connections, but I'm not sure what they would be.
>
> As for which VPN, a number of people like OpenVPN.  I personally prefer
> OpenSSH's ability to do a routed (L3) (or bridged L2) VPN.  (I've got SSH
> exposed already, so it's one less port to expose.)  I see a number of people
> bragging about WireGuard.  Of course there are the old PPTP / L2TP / IPSec,
> though I would avoid them for this install.  I'm sure there are a number of
> other VPN technologies 

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[R0b0t1]

On Wed, Apr 4, 2018 at 3:18 PM, gevisz  wrote:
> A friend of mine asked me to recommend him an open-source
> VPN-server for Linux but unfortunately I never used one.
>

If not https://www.wireguard.com/, I recommend OpenVPN. You could try
to set up IPsec if you wanted.

> After some googling, I have found OpenVPN but do not know
> if it is the best choice that suits his purposes, namely to access
> local network that does not have its own fixed IP from the outside.
>
> To be more precise: the local network to be accessed to from the
> outside is part of another local network. The latter (outer) network
> has its own fixed IP but the former (inner) network gets its IP via DHCP.
> So, it is impossible to connect to a computer in the inner network
> from the outside directly.
>
> The computer in local network to be connected runs Windows.
> The said friend of mine have tried to run some VPN server from
> Windows but it somehow hangs the "inner" computer when
> his "outer" computer has problems connecting to the Internet.
>
> So, now his idea is
> 1) to run a virtual machine in the "inner" (Windows) computer,
> 2) to install into this virtual machine very lightweight Linux server
> only to run in it a VPN-server that should help him to connect
> from the outside to the "inner" host (Windows) computer, which
> has its fixed IP within the inner local network.
>

I'm not sure this makes sense. Firstly, in the case of OpenVPN at
least, there is a Windows client and associated signed fake network
device drivers. Perhaps if using Wireguard you might want to connect
through a VM to your VPN; I am not sure if there is a Windows client.

Secondly - you need the VPN server to be running on a computer which
is globally accessible. If your friend is in the US or some parts of
Europe their home line may not be behind NAT, and would work if set up
properly. In general most networks you connect to will not work. You
will always need one computer which is not behind NAT.

Cheers,
 R0b0t1

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Mick]

On Wednesday, 4 April 2018 23:02:20 BST Grant Taylor wrote:
> On 04/04/2018 02:18 PM, gevisz wrote:
> > A friend of mine asked me to recommend him an open-source VPN-server
> > for Linux but unfortunately I never used one.
> 
> That's a loaded ask.
> 
> > After some googling, I have found OpenVPN but do not know if it is the
> > best choice that suits his purposes, namely to access local network that
> > does not have its own fixed IP from the outside.
> 
> Okay

This may be solvable, if the public facing gateway can be configured to 
forward the requisite ports/protocols to the LAN where the host is located.


> > To be more precise: the local network to be accessed to from the outside
> > is part of another local network. The latter (outer) network has its
> > own fixed IP but the former (inner) network gets its IP via DHCP.  So,
> > it is impossible to connect to a computer in the inner network from the
> > outside directly.
> 
> Is this toplolgy accurate?
> 
> (Client)---(Internet)---(OR)---(IR)---(Host)

The OR can port forward the incoming VPN connection to the IR.  The IR can 
then act as a VPN gateway for the inner LAN.


> I'm guessing that your friend (client) wants to access something (host)
> on the inner network.  But to do so requires passing through the
> Internet through Outer Router (with a static IP on the outside (left))
> and through the Inner Router (which has a dynamic IP on the outside
> (left) obtained via DHCP)).  Is that correct?
> 
> What sort of control does your friend have on the OR & IR?
> 
> Is NAT in use on either OR or IR?
> 
> What sort of
> 
> > The computer in local network to be connected runs Windows.  The said
> > friend of mine have tried to run some VPN server from Windows but it
> > somehow hangs the "inner" computer when his "outer" computer has problems
> > connecting to the Internet.
> 
> Are you saying that the Host in the diagram above is running Windows?
> Or are you referring to a different system?
> 
> > So, now his idea is
> > 1) to run a virtual machine in the "inner" (Windows) computer,
> > 2) to install into this virtual machine very lightweight Linux server
> > only to run in it a VPN-server that should help him to connect from the
> > outside to the "inner" host (Windows) computer, which has its fixed IP
> > within the inner local network.
> 
> The VM may or may not be needed.
> 
> Assuming that NAT is in play on OR and IR (worst case), then just about
> /any/ form of VPN initiating from the outside will be fraught with
> uphill battles.
> 
> It is likely possible that your friend can reconfigure both OR and IR to
> forward a port from the Internet to Host.  But that will likely mean
> that IR will need to have a static IP on it's outside interface.  -  I'm
> guessing this can't be done or that it would have already been done.
> 
> I think that your friend's best bet is to have the IR initiate an
> outbound VPN to something on the Internet that the Client can then
> initate connections to.  (I'm happily using a $5/month Linode VPS to do
> this.)
> 
> There may be ways to make this work without having the Host initiate
> outbound connections, but I'm not sure what they would be.
> 
> As for which VPN, a number of people like OpenVPN.  I personally prefer
> OpenSSH's ability to do a routed (L3) (or bridged L2) VPN.  (I've got
> SSH exposed already, so it's one less port to expose.)  I see a number
> of people bragging about WireGuard.  Of course there are the old PPTP /
> L2TP / IPSec, though I would avoid them for this install.  I'm sure
> there are a number of other VPN technologies that I'm not thinking of.

PPTP has been insecure for years and best be avoided.

L2TP within IPSec is OK, but check what crypto the MSWindows uses.  Last time 
I looked Win7 was not strong enough.

IKEv2 + IPSec with strong crypto for both, is my personal preference for 
gateway-to-gateway VPNs.

MSWindows also has SSTP (because MSoft had to create their own clone of 
OpenVPN).  I think there's a Linux VPN client which will work with that:

 net-misc/sstp-client

but have never tried it.

Of course, if the above network topology suggested by Grant is correct, then 
you will likely be limited by whatever VPN software comes with IR.

In all cases, make sure you use TLS RSA/SHA2 certificates for both client and 
VPN gateway authentication.

Finally, check out Wireguard.  It was designed from the ground up to overcome 
the complexity of previous VPN solutions.  I have not tried it out yet, but 
will be next time I have to set up a VPN tunnel with a non-legacy router.

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?

[Grant Taylor]

On 04/04/2018 02:18 PM, gevisz wrote:
A friend of mine asked me to recommend him an open-source VPN-server 
for Linux but unfortunately I never used one.


That's a loaded ask.

After some googling, I have found OpenVPN but do not know if it is the 
best choice that suits his purposes, namely to access local network that 
does not have its own fixed IP from the outside.


Okay

To be more precise: the local network to be accessed to from the outside 
is part of another local network. The latter (outer) network has its 
own fixed IP but the former (inner) network gets its IP via DHCP.  So, 
it is impossible to connect to a computer in the inner network from the 
outside directly.


Is this toplolgy accurate?

(Client)---(Internet)---(OR)---(IR)---(Host)

I'm guessing that your friend (client) wants to access something (host) 
on the inner network.  But to do so requires passing through the 
Internet through Outer Router (with a static IP on the outside (left)) 
and through the Inner Router (which has a dynamic IP on the outside 
(left) obtained via DHCP)).  Is that correct?


What sort of control does your friend have on the OR & IR?

Is NAT in use on either OR or IR?

What sort of

The computer in local network to be connected runs Windows.  The said 
friend of mine have tried to run some VPN server from Windows but it 
somehow hangs the "inner" computer when his "outer" computer has problems 
connecting to the Internet.


Are you saying that the Host in the diagram above is running Windows? 
Or are you referring to a different system?



So, now his idea is
1) to run a virtual machine in the "inner" (Windows) computer,
2) to install into this virtual machine very lightweight Linux server 
only to run in it a VPN-server that should help him to connect from the 
outside to the "inner" host (Windows) computer, which has its fixed IP 
within the inner local network.


The VM may or may not be needed.

Assuming that NAT is in play on OR and IR (worst case), then just about 
/any/ form of VPN initiating from the outside will be fraught with 
uphill battles.


It is likely possible that your friend can reconfigure both OR and IR to 
forward a port from the Internet to Host.  But that will likely mean 
that IR will need to have a static IP on it's outside interface.  -  I'm 
guessing this can't be done or that it would have already been done.


I think that your friend's best bet is to have the IR initiate an 
outbound VPN to something on the Internet that the Client can then 
initate connections to.  (I'm happily using a $5/month Linode VPS to do 
this.)


There may be ways to make this work without having the Host initiate 
outbound connections, but I'm not sure what they would be.


As for which VPN, a number of people like OpenVPN.  I personally prefer 
OpenSSH's ability to do a routed (L3) (or bridged L2) VPN.  (I've got 
SSH exposed already, so it's one less port to expose.)  I see a number 
of people bragging about WireGuard.  Of course there are the old PPTP / 
L2TP / IPSec, though I would avoid them for this install.  I'm sure 
there are a number of other VPN technologies that I'm not thinking of.


I'm using OpenSSH's VPN feature between an inside client machine to an 
external Linode VPS that functions as a midway rondevu point.




--
Grant. . . .
unix || die