Slashdot Mirror
Ask Slashdot: VPN Solution To Connect Mixed-Environment Households?
New submitter RavenLrD20k writes: I am a programmer by trade with a significant amount of training as a Network Administrator (AAS in Computer Networking). I have no problem with how to build three or four separate networks in each location and make them route over the internet. My weakness is in trying to setup a VPN for a secured two-way connection between location A and location B, both mixed OS environments, with the requirement that all of the internet traffic on B gets routed through A first. I've already looked at some boxed solutions, such as LogMeIn Hamachi, but there hasn't been much in the way of mixed environment support. This is a complicated one, so keep reading for more on what RavenLrD20k is trying to accomplish.
Some background: Due to recent events it's become necessary for me to have remote access to all of my Parents' computers which are about 4 hours away(location B) from my home location(location A). This is to facilitate me being able to log in and apply patches and security updates without requiring someone on the other end sending me Desktop Sharing invites (I'm already going to be upgrading their 2 systems to Windows 7 Ultimate on my dime for this purpose). The ISP for Location B also seems to be blocking the Desktop Sharing ports as this method has completely stopped working for us without notice, and router configs have been verified as forwarding the necessary ports. Location B also has 2 grandchildren that will have a Windows 7 Home Edition Laptop (for MS Office based classwork), a Linux Mint Machine (to start, he has full reign to do whatever he wants to this machine after initial setup with the understanding that if he "breaks" it, he fixes it), and several BeagleBone or R-Pi machines for my Son's experiments while he's visiting for the summer.
Location A has two networks. First is the one with the public IP that I run my Linux servers and physically connected Desktop on. This network also has a wireless interface that allows gaming machines and phones on the North side of the house to connect to. Network two is behind the NAT and runs a dual-band wireless connection for devices on the south side. I would rather not have this second network get internet access through the VPN but through the traditional means.
Location A has a 150/30 cable connection with a 2TB cap. Location B has a 20Mb/s symmetrical uncapped Fiber connection. I also have a VPS "in the cloud" running CentOS which has a 1Gbps Inbound 20Mbps(1Gbps burstable) Outbound connection which may be repurposed for this if necessary. I figure this to be common sense but I would prefer that the the connection between the locations be routed as opposed to bridged as to avoid the issues that come with sending broadcast packets over the internet.
As I said, I primarily want this to be able to remote into my parents' systems to provide maintenance and support instead of having to budget an emergency trip when things go awry. On top of this I'd also like some way to be able to monitor/control my son's online activities while he's away (hence my desire to route at least his traffic, if not all Location B internet traffic, through Location A). Also note: I'm not a helicopter parent by any means and only monitor once in a while to get a general idea of what his online trend is; and the extent of "control" is if grandpa and grandma say he needs time off the computer for x days for bad behavior or whatever, I want to be able to enforce that rule where he won't be able to sneak around while they're in bed. This connection will not have any firewalling or blocking enabled by default. I want everyone to have complete open access to the full internet (this too is to help educate my son in smart browsing/chatting and encourage "you break it, you fix it").
Have a question for Slashdot's readers? Take a look at other recent questions first to see if someone else has had a similar question. And if not, ask away! The more details and context you include, the more likely your question will be selected.
Some background: Due to recent events it's become necessary for me to have remote access to all of my Parents' computers which are about 4 hours away(location B) from my home location(location A). This is to facilitate me being able to log in and apply patches and security updates without requiring someone on the other end sending me Desktop Sharing invites (I'm already going to be upgrading their 2 systems to Windows 7 Ultimate on my dime for this purpose). The ISP for Location B also seems to be blocking the Desktop Sharing ports as this method has completely stopped working for us without notice, and router configs have been verified as forwarding the necessary ports. Location B also has 2 grandchildren that will have a Windows 7 Home Edition Laptop (for MS Office based classwork), a Linux Mint Machine (to start, he has full reign to do whatever he wants to this machine after initial setup with the understanding that if he "breaks" it, he fixes it), and several BeagleBone or R-Pi machines for my Son's experiments while he's visiting for the summer.
Location A has two networks. First is the one with the public IP that I run my Linux servers and physically connected Desktop on. This network also has a wireless interface that allows gaming machines and phones on the North side of the house to connect to. Network two is behind the NAT and runs a dual-band wireless connection for devices on the south side. I would rather not have this second network get internet access through the VPN but through the traditional means.
Location A has a 150/30 cable connection with a 2TB cap. Location B has a 20Mb/s symmetrical uncapped Fiber connection. I also have a VPS "in the cloud" running CentOS which has a 1Gbps Inbound 20Mbps(1Gbps burstable) Outbound connection which may be repurposed for this if necessary. I figure this to be common sense but I would prefer that the the connection between the locations be routed as opposed to bridged as to avoid the issues that come with sending broadcast packets over the internet.
As I said, I primarily want this to be able to remote into my parents' systems to provide maintenance and support instead of having to budget an emergency trip when things go awry. On top of this I'd also like some way to be able to monitor/control my son's online activities while he's away (hence my desire to route at least his traffic, if not all Location B internet traffic, through Location A). Also note: I'm not a helicopter parent by any means and only monitor once in a while to get a general idea of what his online trend is; and the extent of "control" is if grandpa and grandma say he needs time off the computer for x days for bad behavior or whatever, I want to be able to enforce that rule where he won't be able to sneak around while they're in bed. This connection will not have any firewalling or blocking enabled by default. I want everyone to have complete open access to the full internet (this too is to help educate my son in smart browsing/chatting and encourage "you break it, you fix it").
Have a question for Slashdot's readers? Take a look at other recent questions first to see if someone else has had a similar question. And if not, ask away! The more details and context you include, the more likely your question will be selected.
I recommend either an OpenVPN tunnel with appropriate routing (multi-OS capable) or just use the Linux machines already at the site as tunnel servers using SSH as a VPN (relatively recent versions of SSH required).
AntiFA: An abbreviation for Anti First Amendment.
If I'm understanding the requirements, you will want to use openvpn. It has support for Windows and anything running Linux, all sorts of routing options to play with, etc.
Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each.
http://www.cisco.com/c/en/us/p...
I don't respond to AC's.
For your main goal of being able to log into your parents' machines, have you tried TeamViewer?
As for setting up VPN, I think you should be able to do it relatively inexpensively with something like a couple of consumer-grade routers running DD-WRT. The one at location B is set up as a VPN client, and the one at location A is set up as a VPN server. You might want to set up address ranges for DHCP at location B such that they're part of the network at location A but not assigned at location A. That way you can avoid needing to do NAT at location B as well as location A.
If you have one Linux system there with an account you have access to AND an server on your end that you can SSH into your set. On your server you need an account for them to log into which has their autossh users public key in the authorized_hosts file.
You want an excutable file named /etc/network/if-up.d/reverse-ssh
# Ensures that autossh keeps trying to connect
AUTOSSH_GATETIME=0
su -c "autossh -f -N -R *:$8000:localhost:22 -R *:$8001:localhost:5900 pozer@myserver.com -oLogLevel=error -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no" root
I have autossh run as root and log into the account pozer on myserver.com. At that point you have a computer on your network with port 8000 opened to their Linux box and 8001 available for vnc. I set the looged in users X destkop to autorun run "x11vnc -shared -forever" export their desktop over vnc. I also install UltraVNC on the windows PCs.
If you had a windows PC at 192.168.1.50 you could add "-R *:8002:192.168.1.50:5900" to the above autossh command so you can reacn it with "vncviewer myserver:8002"
If you dont know the IP address till later you can set up a forward tunnel by remoting into their server over ssh. ssh remote@myserver -p 8000 -L *:8002:192.168.1.50:5900"
As long as there is a reverse tunnel you can use to create a connection back to their linux machine you can open up and access any port on their network. you can use vnserver to run a headless desktop in the background on their linux mint PC.
vi +
No amount of college coursework will fix someone being too lazy to use Google. Or Amazon.
Both of those sources will mislead you into thinking IPSec is a good solution that's not a giant pain in the ass in the real world and appropriate for this kind of install.
pfSense and OpenVPN, as everybody has been saying, is appropriate, solid, and on the easier end of the scale.
His requirements are 99% like mine, and that solution works great. My parents' pfSense box is in their basement, nailed up next to the FiOS demarc, and it works great.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
If he's going to be using my or my Parents' network resources and the government says I'm responsible for what he does until he's 18, you bet your ass I'm going to do checks to make sure he isn't doing anything that will warrant a visit from the Feds. Beyond that, he has a pretty good amount of freedom and leeway on the web.
That said, I'll have to look into CRD to see if it'll work given the apparent constraints that my Parents' ISP has placed on the connection. Windows Remote Assistance was working for a while and that is primarily what we used whenever they needed some quick work or a tutorial on something they wanted to do with the computer... Unfortunately it just stopped working all of a sudden. We figured out that their ISP had started blocking ports; upon contact the ISP made it clear they weren't going to be helpful in opening them up for us. This is the reason for the desire of a VPN where every machine on my Parents' network will look like they exist on my local NAT so I can easily just point the RDP Client or SSH session to a known IP address and have the full access I need. Using RDP would also eliminate the need for someone to actually have to be at a desktop while I did maintenance. To facilitate this more, I plan on setting my parents' computers to respond to WoL packets as well.
The only reason why I found the OP funny is, in his own words "significant amount of training as a Network Administrator".
Even network admins without significant amounts of training know the simplest fix for this is 2 cheap routers running openvpn with the second one set to route all outbound traffic through the tunnel. This has NOTHING to do with the operating systems.
Or, just use something that lets you support your parents, like teamviewer, that works across platforms, and can install as a service, and access anytime remotely. Many products out there that work on linux/mac/windows.
Tracking your kids internet while he is away seems something better accomplished with something on his device. If you are that worried about his internet habits, while he is at Grandma's you should be worried when he is off wifi, at friends, etc.
Get some IPv6 endpoints (and subnets) from he tunnelbroken and set up some basic ipv6 linux firewalls at both ends. Ditch all the crazy NAT/VPN crap and just go 100% peer to peer.
It sounds like the motivation for the change isn't that remote desktop didn't work well, but that it has stopped working, so you don't have a good way to remotely administer their machines. If so, rather than setting up a VPN, a remote desktop that does work would would do the job.
Chrome Remote Desktop (a Chrome browser extension from Google) does this quite handily. You can set up one-time remote sessions, where someone on the other end has to give you an invitation for each connection, or you can set up persistent connections which you can use any time. It's cross-platform (Windows, Mac, Linux).
I haven't looked into the underlying network protocols in detail, but I understand it uses libjingle, which implements ICE for NAT traversal (https://tools.ietf.org/html/rfc5245). What I do know is that I've used it in many bizarre network configurations and it's been flawless... if both hosts can reach the net, they can reach one another.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Get a small NAS, such as a QNAP or Synology.
They both have OpenVPN built in, so use that. Then you have a NAS for centralized backups (because if you're managing remotely you want to make sure they're stuff is backed up, right?) and your VPN connectivity.
Win win situation. If you get creative, you can even cross-replicate the NAS's so you have a true offsite backup.