[kwlug-disc] Remote access to machine behind CG-NAT

[John Van Ostrand]

On Sun, May 18, 2025 at 8:12 PM Khalid Baheyeldin <kb at 2bits.com> wrote:

> I briefly looked into SSH tunneling, which I used decades ago but in a far
> simpler scenario (ssh access).
> It should work, and with AutoSSH, it should be more robust (restarted if
> traffic ceases, or daemon dies).
> But my conclusion is that it is only good for one (or a couple) of ports
> that one needs to open, and then gets complicated from there (one tunnel
> and one Systemd unit file per port), so that is a future limitation.
>

I used SSH tunnels for a little while a long time ago, running something
like SLIP or PPP over.


> Maybe I should try SSH tunneling first before delving into more complex
> solutions ...
>
> Complexity includes setting up for split tunneling, so that not all
> traffic goes through the VPN server.
> (e.g. large backups from one's laptop to the server, on the local LAN, now
> go to a third server, and back)
>

Is that route based, as in by IP address, or service/port based, as in
needing a firewall rule?


> John, you confirm that a private VPN will get over the issue, and that is
> encouraging.
> Any specific reasons you didn't go for WireGuard?
>
> I assume that pfSense is not the only way to run it, and it can be run on
> a plain Ubuntu machine.
>

Looking for VPN solutions is mired in many false results meant for
anonymous browsing, or fooling geo locating. So I tired of searching for
alternatives quickly and fell back to OpenVPN as something I dabbled in 10
or 15 years ago. It provides for multiple VPN connections, peer-to-peer,
peer-to-network and network-to-network.

I also dabbled in IPSec back then, but I found it harder to learn and debug
as it was filled with crypto terms and I was too busy to devote time to
learning it.

You don't need to use pfSense to make OpenVPN easy. I took a base Fedora
headless installed VPS and added OpenVPN, easy-rcs, firewalld, and
fail2ban-systemd.

At first I thought I'd use shared keys to set up VPNs, but I quickly found
out that OpenVPN allows only one connection per port using that. To do
several I'd have to run several openVPN servers on separate ports. The
alternative is to use signed certificates. OpenVPN requires that OpenVPN be
the certificate authority, which means it can't use keys signed by third
party organizations. I'm fine with that because I don't want to pay for
signed certs. But it does mean having to set up a certificate authority
(CA).  That is made easy with *easy-rcs*. You're used to creating SSH keys,
this is just as easy once you set up the CA and does basically the same
thing.

# Generate Dixie Hellmen parms
cd /usr/share/easy-rsa/3
./easyrsa gen-dh
cp dh.pem /etc/openvpn/server

# Generate Server Key and Cert
cd /usr/share/easy-rsa/3
./easyrsa build-server-full server2
openrsa rsa -in pki/private/server2.key -out
/etc/openvpn/server/tls/server2.key # Remote pwd and put in place

# Generate a user key
./easyrsa build-client-full khalid
openrsa rsa -in pki/private/khalid.key -out pki/private/khalid.key.clear #
Remove pwd

Then you copy the key to the client.

Setup for networking is kind of straightforward if you understand ipv4
networking. You can push network routes to clients so things just work when
a client connects.

I've been running OpenVPN between my home and cottage for months now and
occasionally connecting with my phone and it's been working great.

What I suggest is that you create a calendar item to remind you to re-issue
certs when they expire. Otherwise a few years down the road you'll be
wondering why your VPN isn't connecting.

On my android phone I use the *OpenVPN Connect


-- 
John Van Ostrand
At large on sabbatical
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20250520/395efede/attachment.htm>