nkedel

Someone else mentioned the the free EC2 server, and when I said "pretty much follow the directions" that's for someone comfortable with basic linux/unix command line system administration.

OTOH, if you know what SSH is and how to log in, you can pick up the rest pretty easily. As for the free EC2 instances, see http://aws.amazon.com/free/ -- alternatively, I pay for a VPS from Gandi; it's about $10 a month for a basic one or $15 or so (paid annually) for a slightly beefier one.

The actual instructions are here: https://openvpn.net/index.php/open-s...ion/howto.html and they look much worse than they are. In general, if you just follow along with the examples, it will be working -- not by any means ideal security if you don't understand other things about the Linux firewall system, but if the goal is to just have a pipe to the US-based internat (for example) it's fine (and if the machine was supposed to be secure for other reasons that you're needing to VPN to it for, you'd need to understand the firewall for those reasons whether or not you had the VPN.

Alternative instructions here:
http://www.techrepublic.com/blog/lin...penvpn-server/
and here, this last one looks the most up-to-date and fully ready to go
https://www.digitalocean.com/communi...er-on-centos-6

(CentOS 6, which is the free clone of RedHat 6, is probably the OS you'd want to run on a Amazon or other cloud server ... unless you already have a preference for some other flavor of Unix, in which case the slightly more detailed directions from OpenVPN itself are probably better.)

gfunkdave

Well, you could Google how to set up OpenVPN on Ubuntu:

https://www.google.com/webhp?sourcei...envpn%20ubuntu

Here's a hit: http://parabing.com/2014/06/openvpn-on-ubuntu/

Then you could set up an Ubuntu instance in the Amazon cloud at https://aws.amazon.com and follow the Googled instructions.

I think the Micro instance might still be free for the first year if you want to play with things. You won't get much bandwidth, though.

robroy90

Unless you don't care about what you store on your NAS, I *STRONGLY* advise you look elsewhere to host your VPN aspirations.

There was a variant of Cryptolocker that seized Synology NAS units that were directly exposed to the internet. It just isn't good practice to expose it.

As usual, it depends on your needs and what you are willing to spend, but a dedicated hardware firewall appliance is almost always your best bet.

Not that I even remotley expect every home LAN user to do so, but I use a Checkpoint 1180 Firewall that has integrated UTM (Unified Threat Management) services so it not only provides a convenient VPN client for my computers and mobile devices while I am away from home, it also is a fully-featured protective device that scans all traffic in and out of the box in real time for threats.

For most home users, a Linksys or other similar router that can run DD-WRT, etc is probably your most cost-effective, yet reasonably secure choice.

docbert

There is no need to "directly expose" your NAS unit to the Internet to run OpenVPN on it - you just need to port forward a single port (normally 1194/UDP, but it's configurable).

Technically this still leaves you exposed to an OpenVPN vulnerability, but the risks of that are not that different whether it's on a router or a NAS device.

nkedel

Assuming your NAS is minimally secure (e.g. not running an open NFS, or either password-less CIFS or cleartext authentication on CIFS) even if they compromise a separate router/firewall, they'll then have to separately compromise the NAS via whatever relay they can get running on the router/firewall. That's a bit of extra security, but not a lot.

No help at all if the NAS is open/insecure, and may not be worth the trouble even if it is secured.

One alternative for some folks would be to run the OpenVPN appliance (and anything else outward-facing) in a VM on the NAS/server -- this would require them to compromise the hypervisor in order to break out to the main machine.

unmesh

I'm comfortable with Linux commands, just not with iptables and the like. Will try with Centos 6 when I have some free time.

I have a server running ESXi so this could be the next step after I'm comfortable with the EC2 experiment.

Thanks.

unmesh

I was worried about my ability to set up an OS instance in the cloud in the first place!

My home gateway runs dd-wrt and I have turned on the OpenVPN server for a short time on my Synology NAS to see if it worked. It did!

I have also once repurposed an older PC to run the free Sophos UTM but did not have the patience to go through the learning curve.

My use case is to VPN through a US location when I am overseas occasionally and not to access my LAN. My discomfort with using my gateway router with DD-WRT or my Synology comes from my insecurity (hah!) with being able to hairpin that traffic out into the Internet and not expose my LAN if the VPN is misconfigured by me or has an inherent vulnerability.

Hence the attractiveness of OpenVPN in the cloud.

unmesh

I couldn't wait and decided to try setting up OpenVPN on an EC2 free instance and here is what happened.

I created an AWS account and couldn't find a free Centos 6 image, so I went with an Ubuntu one. Booted the instance, a bit of fiddling to SSH into the instance, updated Ubuntu, installed the openVPN server and generated the server and client keys and the config file.

Copied the keys/files to my Windows PC after a bit of fiddling to get SFTP working, installed OpenVPN, pointed it to the config file and started the client. Got a TLS key negotiation error message.

Apparently this is a common problem, most likely due to the server being behind a firewall. A little more searching and I open port 1194 to the EC2 server instance.

Restarted the client side and got a bunch of messages about being unable to modify the routes. Google again came to the rescue by pointing out that the client needs to run with elevated privileges but will not itself request them.

Took care of this and the VPN is up and running!

Got there by almost needing to following only the instructions

Thanks to gfunkdave and nkedel

P.S.: I have 60Mbps down and 6Mbps up Internet service and it goes to 2.65 down and 5.4 up with the VPN running.

nkedel

If nothing else, this is a good chance to get your feet wet with iptables. For the basic "set up forwarding," as it sounds like you've already found out, the instructions are quite straightforward.

Firewalls can be a very deep, interesting rabbit hole, if you choose to go down it, but there's no need to now.

Really? Ah, bummer!

I'm fairly sure that this is an intentional annoyance about the open-source client.

Bandwidth is not huge on the free instances, and the CPU is quite limited. That's actually pretty good, all told; going to the VPN on my Gandi VPS instance (a moderately beefy single core, with 40Mbps bandwidth) I get 9.5Mbps download and 1.37Mbps upload on speedtest.net (vs. 18/5 without the VPN.)

chx1975

You are paying quite a lot. Check the low end forums: http://lowendtalk.com/categories/offers http://lowendbox.com/ The cheapest I've ever seen is single digit dollars a year.

Also, I still maintain that proxying over OpenSSH is way easier than setting up OpenVPN and I am quite an old hand with Linux.

nkedel

A good quality VPS is overkill for just an OpenVPN server, to be certain. From what I can see on those links, I'm comfortable with what I'm paying and getting.

When you say "proxying over SSH" are you talking about port forwarding individual sites, or something like port forwarding to a SOCKS proxy of some sort?

Actually, for banking (etc) on the road, I mostly use NX-over-SSH, but it's obviously not suitable for streaming video.

gfunkdave

The SSH 2 spec (and maybe v1 too - I don't know) can work as a SOCKS proxy for any traffic. I use it all the time to proxy websites from work that OpenDNS blocks here. Just ensure port forwarding is enabled in the server, then create a Dynamic port forward on your client machine.

The "D7778" is the setting in Putty to make local port 7778 present a SOCKS proxy. To enable remote DNS lookup in Chrome, set Chrome to use it as a SOCKS5 proxy.



See, it's easy!


OpenVPN with certificate authentication, and especially with the option tls-auth feature turned on, is probably as secure as anyone knows how to make a VPN. Clearly, I'm not a cryptographer or security expert, but I AM a very gifted amateur, and that's my educated opinion.

I'd echo the concerns about running VPN on your NAS device. Use a device for its intended function. For a NAS, that's network storage. Using a router for VPN is a compromise (a router should route, says I) but an acceptable one. I use routers running Tomato to create a seamless site-to-site VPN between my house, my parents', my dad's office, and my mother in law. That way, I can provide tech support easily and access their network resources as needed. They love it when I print something for them to their printer from my place in NYC.

chx1975

On Linux and Mac at least we can pick from redsocks or sshuttle to ferry all our traffic through the SOCKS tunnel provided by SSH. I have no idea about Windows, brief Googling shows FreeCap and WideCap as solutions for the same.

nkedel

Interesting! I've used SSH port forwarding more times than I can count, but always with a fixed destination or source port -- I've never actually taken note of the "dymamic" option in Putty. Thanks for pointing it out!

nmenaker

Can anyone recommend a solid VPN appliance to setup on a home network but to use simply for EXTERNAL VPN access and security?

I've got a netgear nighthawk AC1900 router/AP, and the VPN solution on it is pretty poor. Doesn't enable the WAN IP as the access point for any external clients (known issue) and that is what I'd really like, to be able to connect to it and have all my traffic routed through my home network and connectivity (I have 100/25 connection)

I know I could flash the AC1900 with DD-WRT and probably get what I am looking for, but I'm loath to go down the irreversible path YET since everything else is work so well.

I'd like to just stick a VPN appliance on the network, use it to enable REMOTE WAN VPN security and have the solution isolated to the device.