<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Tue, May 20, 2025 at 10:45\u202fAM John Van Ostrand <<a href="mailto:john@vanostrand.com">john@vanostrand.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">On Sun, May 18, 2025 at 8:12\u202fPM Khalid Baheyeldin <<a href="mailto:kb@2bits.com" target="_blank">kb@2bits.com</a>> wrote:</div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div style="font-size:small">I briefly looked into SSH tunneling, which I used decades ago but in a far simpler scenario (ssh access). </div><div style="font-size:small">It should work, and with AutoSSH, it should be more robust (restarted if traffic ceases, or daemon dies).</div><div style="font-size:small">But my conclusion is that it is only good for one (or a couple) of ports that one needs to open, and then gets complicated from there (one tunnel and one Systemd unit file per port), so that is a future limitation.</div></div></div></blockquote><div><br></div><div>I used SSH tunnels for a little while a long time ago, running something like SLIP or PPP over. </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div style="font-size:small"><br></div><div style="font-size:small">Maybe I should try SSH tunneling first before delving into more complex solutions ...<br></div><div style="font-size:small"><br></div><div style="font-size:small">Complexity includes setting up for split tunneling, so that not all traffic goes through the VPN server.</div><div style="font-size:small">(e.g. large backups from one's laptop to the server, on the local LAN, now go to a third server, and back)</div></div></div></blockquote><div><br></div><div>Is that route based, as in by IP address, or service/port based, as in needing a firewall rule? </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div style="font-size:small"><br></div><div style="font-size:small">John, you confirm that a private VPN will get over the issue, and that is encouraging. <br></div><div style="font-size:small">Any specific reasons you didn't go for WireGuard?</div><div style="font-size:small"><br></div><div style="font-size:small">I assume that pfSense is not the only way to run it, and it can be run on a plain Ubuntu machine.<br></div></div></div></blockquote><div><br></div><div>Looking for VPN solutions is mired in many false results meant for anonymous browsing, or fooling geo locating. So I tired of searching for alternatives quickly and fell back to OpenVPN as something I dabbled in 10 or 15 years ago. It provides for multiple VPN connections, peer-to-peer, peer-to-network and network-to-network.</div><div><br></div><div>I also dabbled in IPSec back then, but I found it harder to learn and debug as it was filled with crypto terms and I was too busy to devote time to learning it.</div><div><br></div><div>You don't need to use pfSense to make OpenVPN easy. I took a base Fedora headless installed VPS and added OpenVPN, easy-rcs, firewalld, and fail2ban-systemd.</div><div><br></div><div>At first I thought I'd use shared keys to set up VPNs, but I quickly found out that OpenVPN allows only one connection per port using that. To do several I'd have to run several openVPN servers on separate ports. The alternative is to use signed certificates. OpenVPN requires that OpenVPN be the certificate authority, which means it can't use keys signed by third party organizations. I'm fine with that because I don't want to pay for signed certs. But it does mean having to set up a certificate authority (CA). That is made easy with *easy-rcs*. You're used to creating SSH keys, this is just as easy once you set up the CA and does basically the same thing.</div><div><br># Generate Dixie Hellmen parms</div><div>cd /usr/share/easy-rsa/3<br>./easyrsa gen-dh<br>cp dh.pem /etc/openvpn/server</div><div><br># Generate Server Key and Cert<br>cd /usr/share/easy-rsa/3<br>./easyrsa build-server-full server2<br>openrsa rsa -in pki/private/server2.key -out /etc/openvpn/server/tls/server2.key # Remote pwd and put in place</div><div><br></div><div># Generate a user key</div><div>./easyrsa build-client-full khalid<br>openrsa rsa -in pki/private/khalid.key -out pki/private/khalid.key.clear # Remove pwd</div><div><br>Then you copy the key to the client.</div><div><br></div><div>Setup for networking is kind of straightforward if you understand ipv4 networking. You can push network routes to clients so things just work when a client connects.</div><div><br></div><div>I've been running OpenVPN between my home and cottage for months now and occasionally connecting with my phone and it's been working great.</div><div><br></div><div>What I suggest is that you create a calendar item to remind you to re-issue certs when they expire. Otherwise a few years down the road you'll be wondering why your VPN isn't connecting.</div><div></div></div></div></blockquote><div><br></div><div><br></div></div><div>On my android phone I use the *OpenVPN Connect* app. Creating a configuration file for it isn't too hard to do. You basically embed the CA public cert and the client certs in an OpenVPN config file and transfer it to your phone.</div><div><pre class="gmail-code" style="margin-top:0px;margin-bottom:1.4em;padding:0.7em 1em;font-family:Consolas,"Andale Mono WT","Andale Mono","Bitstream Vera Sans Mono","Nimbus Mono L",Monaco,"Courier New",monospace;font-size:14px;direction:ltr;background-color:rgb(251,250,249);color:rgb(51,51,51);border-radius:2px;overflow:auto;border:1px solid rgb(204,204,204)"># OpenVPN client configuration file for Khalid's smart phone
#
client
dev tun
proto udp4
remote <a href="http://openvpn.2bits.com">openvpn.2bits.com</a>
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verb 3
tls-client
key-direction 1
# Use files
# ca ca.crt
# cert khalid.crt
# key khalid.key
## or use embedded
<br>#<ca><br>#-----BEGIN CERTIFICATE-----<br>#...<br>#-----END CERTIFICATE-----<br>#</ca><br>#<br>#<cert><br>#-----BEGIN CERTIFICATE-----<br>#...<br>#-----END CERTIFICATE-----<br>#</cert><br>#<br>#<key><br>#-----BEGIN PRIVATE KEY-----<br>#...<br>#-----END PRIVATE KEY-----<br>#</key>
</pre></div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>John Van Ostrand<br></div><div>At large on sabbatical<br></div><br></div></div></div>