OpenVPN Home Appliance
#16
FlyerTalk Evangelist
Join Date: Jul 2000
Location: in the vicinity of SFO
Programs: AA 2MM (LT-PLT, PPro for this year)
Posts: 19,781
OTOH, if you know what SSH is and how to log in, you can pick up the rest pretty easily. As for the free EC2 instances, see http://aws.amazon.com/free/ -- alternatively, I pay for a VPS from Gandi; it's about $10 a month for a basic one or $15 or so (paid annually) for a slightly beefier one.
The actual instructions are here: https://openvpn.net/index.php/open-s...ion/howto.html and they look much worse than they are. In general, if you just follow along with the examples, it will be working -- not by any means ideal security if you don't understand other things about the Linux firewall system, but if the goal is to just have a pipe to the US-based internat (for example) it's fine (and if the machine was supposed to be secure for other reasons that you're needing to VPN to it for, you'd need to understand the firewall for those reasons whether or not you had the VPN.
Alternative instructions here:
http://www.techrepublic.com/blog/lin...penvpn-server/
and here, this last one looks the most up-to-date and fully ready to go
https://www.digitalocean.com/communi...er-on-centos-6
(CentOS 6, which is the free clone of RedHat 6, is probably the OS you'd want to run on a Amazon or other cloud server ... unless you already have a preference for some other flavor of Unix, in which case the slightly more detailed directions from OpenVPN itself are probably better.)
#17
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,231
https://www.google.com/webhp?sourcei...envpn%20ubuntu
Here's a hit: http://parabing.com/2014/06/openvpn-on-ubuntu/
Then you could set up an Ubuntu instance in the Amazon cloud at https://aws.amazon.com and follow the Googled instructions.
I think the Micro instance might still be free for the first year if you want to play with things. You won't get much bandwidth, though.
#18
Join Date: Jun 2010
Posts: 220
Don't use your NAS
Unless you don't care about what you store on your NAS, I *STRONGLY* advise you look elsewhere to host your VPN aspirations.
There was a variant of Cryptolocker that seized Synology NAS units that were directly exposed to the internet. It just isn't good practice to expose it.
As usual, it depends on your needs and what you are willing to spend, but a dedicated hardware firewall appliance is almost always your best bet.
Not that I even remotley expect every home LAN user to do so, but I use a Checkpoint 1180 Firewall that has integrated UTM (Unified Threat Management) services so it not only provides a convenient VPN client for my computers and mobile devices while I am away from home, it also is a fully-featured protective device that scans all traffic in and out of the box in real time for threats.
For most home users, a Linksys or other similar router that can run DD-WRT, etc is probably your most cost-effective, yet reasonably secure choice.
There was a variant of Cryptolocker that seized Synology NAS units that were directly exposed to the internet. It just isn't good practice to expose it.
As usual, it depends on your needs and what you are willing to spend, but a dedicated hardware firewall appliance is almost always your best bet.
Not that I even remotley expect every home LAN user to do so, but I use a Checkpoint 1180 Firewall that has integrated UTM (Unified Threat Management) services so it not only provides a convenient VPN client for my computers and mobile devices while I am away from home, it also is a fully-featured protective device that scans all traffic in and out of the box in real time for threats.
For most home users, a Linksys or other similar router that can run DD-WRT, etc is probably your most cost-effective, yet reasonably secure choice.
#19
Join Date: Jul 2007
Location: San Francisco/Sydney
Programs: UA 1K/MM, Hilton Diamond, Marriott Something, IHG Gold, Hertz PC, Avis PC
Posts: 8,156
Technically this still leaves you exposed to an OpenVPN vulnerability, but the risks of that are not that different whether it's on a router or a NAS device.
#20
FlyerTalk Evangelist
Join Date: Jul 2000
Location: in the vicinity of SFO
Programs: AA 2MM (LT-PLT, PPro for this year)
Posts: 19,781
No help at all if the NAS is open/insecure, and may not be worth the trouble even if it is secured.
One alternative for some folks would be to run the OpenVPN appliance (and anything else outward-facing) in a VM on the NAS/server -- this would require them to compromise the hypervisor in order to break out to the main machine.
#21
Join Date: Nov 2003
Location: San Jose, CA
Posts: 460
One alternative for some folks would be to run the OpenVPN appliance (and anything else outward-facing) in a VM on the NAS/server -- this would require them to compromise the hypervisor in order to break out to the main machine.
Thanks.
Last edited by unmesh; Jan 5, 2015 at 8:57 pm
#22
Join Date: Nov 2003
Location: San Jose, CA
Posts: 460
Well, you could Google how to set up OpenVPN on Ubuntu:
https://www.google.com/webhp?sourcei...envpn%20ubuntu
Here's a hit: http://parabing.com/2014/06/openvpn-on-ubuntu/
Then you could set up an Ubuntu instance in the Amazon cloud at https://aws.amazon.com and follow the Googled instructions.
I think the Micro instance might still be free for the first year if you want to play with things. You won't get much bandwidth, though.
https://www.google.com/webhp?sourcei...envpn%20ubuntu
Here's a hit: http://parabing.com/2014/06/openvpn-on-ubuntu/
Then you could set up an Ubuntu instance in the Amazon cloud at https://aws.amazon.com and follow the Googled instructions.
I think the Micro instance might still be free for the first year if you want to play with things. You won't get much bandwidth, though.
Unless you don't care about what you store on your NAS, I *STRONGLY* advise you look elsewhere to host your VPN aspirations.
There was a variant of Cryptolocker that seized Synology NAS units that were directly exposed to the internet. It just isn't good practice to expose it.
As usual, it depends on your needs and what you are willing to spend, but a dedicated hardware firewall appliance is almost always your best bet.
Not that I even remotley expect every home LAN user to do so, but I use a Checkpoint 1180 Firewall that has integrated UTM (Unified Threat Management) services so it not only provides a convenient VPN client for my computers and mobile devices while I am away from home, it also is a fully-featured protective device that scans all traffic in and out of the box in real time for threats.
For most home users, a Linksys or other similar router that can run DD-WRT, etc is probably your most cost-effective, yet reasonably secure choice.
There was a variant of Cryptolocker that seized Synology NAS units that were directly exposed to the internet. It just isn't good practice to expose it.
As usual, it depends on your needs and what you are willing to spend, but a dedicated hardware firewall appliance is almost always your best bet.
Not that I even remotley expect every home LAN user to do so, but I use a Checkpoint 1180 Firewall that has integrated UTM (Unified Threat Management) services so it not only provides a convenient VPN client for my computers and mobile devices while I am away from home, it also is a fully-featured protective device that scans all traffic in and out of the box in real time for threats.
For most home users, a Linksys or other similar router that can run DD-WRT, etc is probably your most cost-effective, yet reasonably secure choice.
I have also once repurposed an older PC to run the free Sophos UTM but did not have the patience to go through the learning curve.
There is no need to "directly expose" your NAS unit to the Internet to run OpenVPN on it - you just need to port forward a single port (normally 1194/UDP, but it's configurable).
Technically this still leaves you exposed to an OpenVPN vulnerability, but the risks of that are not that different whether it's on a router or a NAS device.
Technically this still leaves you exposed to an OpenVPN vulnerability, but the risks of that are not that different whether it's on a router or a NAS device.
Hence the attractiveness of OpenVPN in the cloud.
#23
Join Date: Nov 2003
Location: San Jose, CA
Posts: 460
I couldn't wait and decided to try setting up OpenVPN on an EC2 free instance and here is what happened.
I created an AWS account and couldn't find a free Centos 6 image, so I went with an Ubuntu one. Booted the instance, a bit of fiddling to SSH into the instance, updated Ubuntu, installed the openVPN server and generated the server and client keys and the config file.
Copied the keys/files to my Windows PC after a bit of fiddling to get SFTP working, installed OpenVPN, pointed it to the config file and started the client. Got a TLS key negotiation error message.
Apparently this is a common problem, most likely due to the server being behind a firewall. A little more searching and I open port 1194 to the EC2 server instance.
Restarted the client side and got a bunch of messages about being unable to modify the routes. Google again came to the rescue by pointing out that the client needs to run with elevated privileges but will not itself request them.
Took care of this and the VPN is up and running!
Got there by almost needing to following only the instructions
Thanks to gfunkdave and nkedel
P.S.: I have 60Mbps down and 6Mbps up Internet service and it goes to 2.65 down and 5.4 up with the VPN running.
I created an AWS account and couldn't find a free Centos 6 image, so I went with an Ubuntu one. Booted the instance, a bit of fiddling to SSH into the instance, updated Ubuntu, installed the openVPN server and generated the server and client keys and the config file.
Copied the keys/files to my Windows PC after a bit of fiddling to get SFTP working, installed OpenVPN, pointed it to the config file and started the client. Got a TLS key negotiation error message.
Apparently this is a common problem, most likely due to the server being behind a firewall. A little more searching and I open port 1194 to the EC2 server instance.
Restarted the client side and got a bunch of messages about being unable to modify the routes. Google again came to the rescue by pointing out that the client needs to run with elevated privileges but will not itself request them.
Took care of this and the VPN is up and running!
Got there by almost needing to following only the instructions
Thanks to gfunkdave and nkedel
P.S.: I have 60Mbps down and 6Mbps up Internet service and it goes to 2.65 down and 5.4 up with the VPN running.
#24
FlyerTalk Evangelist
Join Date: Jul 2000
Location: in the vicinity of SFO
Programs: AA 2MM (LT-PLT, PPro for this year)
Posts: 19,781
Firewalls can be a very deep, interesting rabbit hole, if you choose to go down it, but there's no need to now.
Really? Ah, bummer!
Restarted the client side and got a bunch of messages about being unable to modify the routes. Google again came to the rescue by pointing out that the client needs to run with elevated privileges but will not itself request them.
P.S.: I have 60Mbps down and 6Mbps up Internet service and it goes to 2.65 down and 5.4 up with the VPN running.
#25
Join Date: Jun 2008
Location: YVR
Programs: Aeroplan, AAdvantage
Posts: 2,100
Also, I still maintain that proxying over OpenSSH is way easier than setting up OpenVPN and I am quite an old hand with Linux.
#26
FlyerTalk Evangelist
Join Date: Jul 2000
Location: in the vicinity of SFO
Programs: AA 2MM (LT-PLT, PPro for this year)
Posts: 19,781
You are paying quite a lot. Check the low end forums: http://lowendtalk.com/categories/offers http://lowendbox.com/ The cheapest I've ever seen is single digit dollars a year.
Also, I still maintain that proxying over OpenSSH is way easier than setting up OpenVPN and I am quite an old hand with Linux.
Actually, for banking (etc) on the road, I mostly use NX-over-SSH, but it's obviously not suitable for streaming video.
#27
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,231
The "D7778" is the setting in Putty to make local port 7778 present a SOCKS proxy. To enable remote DNS lookup in Chrome, set Chrome to use it as a SOCKS5 proxy.
My discomfort with using my gateway router with DD-WRT or my Synology comes from my insecurity (hah!) with being able to hairpin that traffic out into the Internet and not expose my LAN if the VPN is misconfigured by me or has an inherent vulnerability.
Hence the attractiveness of OpenVPN in the cloud.
Hence the attractiveness of OpenVPN in the cloud.
I'd echo the concerns about running VPN on your NAS device. Use a device for its intended function. For a NAS, that's network storage. Using a router for VPN is a compromise (a router should route, says I) but an acceptable one. I use routers running Tomato to create a seamless site-to-site VPN between my house, my parents', my dad's office, and my mother in law. That way, I can provide tech support easily and access their network resources as needed. They love it when I print something for them to their printer from my place in NYC.
#28
Join Date: Jun 2008
Location: YVR
Programs: Aeroplan, AAdvantage
Posts: 2,100
On Linux and Mac at least we can pick from redsocks or sshuttle to ferry all our traffic through the SOCKS tunnel provided by SSH. I have no idea about Windows, brief Googling shows FreeCap and WideCap as solutions for the same.
#29
FlyerTalk Evangelist
Join Date: Jul 2000
Location: in the vicinity of SFO
Programs: AA 2MM (LT-PLT, PPro for this year)
Posts: 19,781
The SSH 2 spec (and maybe v1 too - I don't know) can work as a SOCKS proxy for any traffic. I use it all the time to proxy websites from work that OpenDNS blocks here. Just ensure port forwarding is enabled in the server, then create a Dynamic port forward on your client machine.
#30
Join Date: Feb 2000
Location: Menlo Park, CA, USA
Programs: UA 1MM 0P, AA, DL, *wood, Lifetime FPC Plat., IHG, HHD
Posts: 6,912
Can anyone recommend a solid VPN appliance to setup on a home network but to use simply for EXTERNAL VPN access and security?
I've got a netgear nighthawk AC1900 router/AP, and the VPN solution on it is pretty poor. Doesn't enable the WAN IP as the access point for any external clients (known issue) and that is what I'd really like, to be able to connect to it and have all my traffic routed through my home network and connectivity (I have 100/25 connection)
I know I could flash the AC1900 with DD-WRT and probably get what I am looking for, but I'm loath to go down the irreversible path YET since everything else is work so well.
I'd like to just stick a VPN appliance on the network, use it to enable REMOTE WAN VPN security and have the solution isolated to the device.
I've got a netgear nighthawk AC1900 router/AP, and the VPN solution on it is pretty poor. Doesn't enable the WAN IP as the access point for any external clients (known issue) and that is what I'd really like, to be able to connect to it and have all my traffic routed through my home network and connectivity (I have 100/25 connection)
I know I could flash the AC1900 with DD-WRT and probably get what I am looking for, but I'm loath to go down the irreversible path YET since everything else is work so well.
I'd like to just stick a VPN appliance on the network, use it to enable REMOTE WAN VPN security and have the solution isolated to the device.