[kwlug-disc] Remote access to machine behind CG-NAT

John Van Ostrand john at vanostrand.com
Tue May 20 10:51:21 EDT 2025 

On Tue, May 20, 2025 at 10:45 AM John Van Ostrand <john at vanostrand.com>
wrote:

> On Sun, May 18, 2025 at 8:12 PM Khalid Baheyeldin <kb at 2bits.com> wrote:
>
>> I briefly looked into SSH tunneling, which I used decades ago but in a
>> far simpler scenario (ssh access).
>> It should work, and with AutoSSH, it should be more robust (restarted if
>> traffic ceases, or daemon dies).
>> But my conclusion is that it is only good for one (or a couple) of ports
>> that one needs to open, and then gets complicated from there (one tunnel
>> and one Systemd unit file per port), so that is a future limitation.
>>
>
> I used SSH tunnels for a little while a long time ago, running something
> like SLIP or PPP over.
>
>
>> Maybe I should try SSH tunneling first before delving into more complex
>> solutions ...
>>
>> Complexity includes setting up for split tunneling, so that not all
>> traffic goes through the VPN server.
>> (e.g. large backups from one's laptop to the server, on the local LAN,
>> now go to a third server, and back)
>>
>
> Is that route based, as in by IP address, or service/port based, as in
> needing a firewall rule?
>
>
>> John, you confirm that a private VPN will get over the issue, and that is
>> encouraging.
>> Any specific reasons you didn't go for WireGuard?
>>
>> I assume that pfSense is not the only way to run it, and it can be run on
>> a plain Ubuntu machine.
>>
>
> Looking for VPN solutions is mired in many false results meant for
> anonymous browsing, or fooling geo locating. So I tired of searching for
> alternatives quickly and fell back to OpenVPN as something I dabbled in 10
> or 15 years ago. It provides for multiple VPN connections, peer-to-peer,
> peer-to-network and network-to-network.
>
> I also dabbled in IPSec back then, but I found it harder to learn and
> debug as it was filled with crypto terms and I was too busy to devote time
> to learning it.
>
> You don't need to use pfSense to make OpenVPN easy. I took a base Fedora
> headless installed VPS and added OpenVPN, easy-rcs, firewalld, and
> fail2ban-systemd.
>
> At first I thought I'd use shared keys to set up VPNs, but I quickly found
> out that OpenVPN allows only one connection per port using that. To do
> several I'd have to run several openVPN servers on separate ports. The
> alternative is to use signed certificates. OpenVPN requires that OpenVPN be
> the certificate authority, which means it can't use keys signed by third
> party organizations. I'm fine with that because I don't want to pay for
> signed certs. But it does mean having to set up a certificate authority
> (CA).  That is made easy with *easy-rcs*. You're used to creating SSH keys,
> this is just as easy once you set up the CA and does basically the same
> thing.
>
> # Generate Dixie Hellmen parms
> cd /usr/share/easy-rsa/3
> ./easyrsa gen-dh
> cp dh.pem /etc/openvpn/server
>
> # Generate Server Key and Cert
> cd /usr/share/easy-rsa/3
> ./easyrsa build-server-full server2
> openrsa rsa -in pki/private/server2.key -out
> /etc/openvpn/server/tls/server2.key # Remote pwd and put in place
>
> # Generate a user key
> ./easyrsa build-client-full khalid
> openrsa rsa -in pki/private/khalid.key -out pki/private/khalid.key.clear #
> Remove pwd
>
> Then you copy the key to the client.
>
> Setup for networking is kind of straightforward if you understand ipv4
> networking. You can push network routes to clients so things just work when
> a client connects.
>
> I've been running OpenVPN between my home and cottage for months now and
> occasionally connecting with my phone and it's been working great.
>
> What I suggest is that you create a calendar item to remind you to
> re-issue certs when they expire. Otherwise a few years down the road you'll
> be wondering why your VPN isn't connecting.
>


On my android phone I use the *OpenVPN Connect* app. Creating a
configuration file for it isn't too hard to do. You basically embed the CA
public cert and the client certs in an OpenVPN config file and transfer it
to your phone.

# OpenVPN client configuration file for Khalid's smart phone
#

client
dev tun
proto udp4
remote openvpn.2bits.com
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verb 3
tls-client
key-direction 1

# Use files

# ca ca.crt
# cert khalid.crt
# key khalid.key

## or use embedded
#<ca>
#-----BEGIN CERTIFICATE-----
#...
#-----END CERTIFICATE-----
#</ca>
#
#<cert>
#-----BEGIN CERTIFICATE-----
#...
#-----END CERTIFICATE-----
#</cert>
#
#<key>
#-----BEGIN PRIVATE KEY-----
#...
#-----END PRIVATE KEY-----
#</key>

John Van Ostrand
At large on sabbatical
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20250520/2b9610bc/attachment-0001.htm>

More information about the kwlug-disc mailing list