VPN choices

vpn
Tags: #<Tag:0x00007fd3110575d0>

(Branden Smale) #1

Since there are many different opinions out there, and I personally am not knowledgeable in VPN, i figured i would ask people their opinions of what VPN to use. I looked at some free options, but dont know if I want throttling, as it is my plan to have multiple connection via vpn.

So…what is your advise, approximate cost per month, and why?


(Lucky) #2
  1. Why do you need a VPN?
  2. What is your budget?

I personally use NFP Hosting as my tiny VPS, it costs $12 a year. YES TWELVE BUCKS A YEAR. But sometimes they run a promo. I got several for $5/year!!! Since it’s a VPS, it’s basically having a machine hosted somewhere else. It’s a shared environment, but you still get ROOT! I use it to run my own squid proxy, as a test environment, a mail server, and as a lightweight file server. I have a blog hosted in one of them too. My uptime is more than year now. If you’re just trying to hide your online activities, you can run several proxies and chain them together, but then again, using VPNs to hide your online stuff provides nothing but a false sense of security.


(Rich Koshak) #3

:+1:


(Lucky) #4

I setup proxies so I can access stuff from work :rofl:


(Rich Koshak) #5

I just use ssh tunnels with cert only logins and fail2ban to keep from being pounded by the script kiddies. When I’m on the go, I have an OpenVPN server I can connect to remotely.

But I’m not trying to hide my network traffic from my ISP. And if I were, I don’t think I would trust some VPN provider any more than my ISP.


(Branden Smale) #6

my purpose is to work remotely on oh, as if i were in front of it.


(davorf) #7

Hello!

I’m using VPN server on my home router for that purpose. I don’t think you need a VPN provider to achieve this.

Best regards,
Davor


(Lucky) #8

OpenVPN rocks! I use it all the time except work, since the client is blacklisted lol. We’re a software team in a financial institution, they don’t want anyone “bringing home” the code lol.


(Lucky) #9

I might be mistaken. I thought you were looking for a VPN service… if you to simply want to connect remotely to your own home network, try openVPN. It will be as if you’re just in the next room.


(Branden Smale) #10

I would also like to access customer installs. Can I do this with them, or use a service such as openVPN?

Guess I need to ask the difference between a VPN service and openVPN…


(Lucky) #11

Please read what VPN is. openVPN is a software, much like openHAB. It’s something you install. You can install it on your clients but I’m not sure that’s something they’d want to do. So you install OpenVPN server on your customers, then you install an OpenVPN client on your machine. You use your OpenVPN client software to connect to the server. When you are connected, you’re basically in the same network as them.


(Rich Koshak) #12

Government for me. I’m surprised I can do SSH frankly. But I can only SSH to port 22, hence fail2ban instead of moving it to an uncommon port.

I guess I won’t tell your boss about scp. :stuck_out_tongue_winking_eye:

With openVPN it will be as if your remote computer is on your lan.

With SSH you can open a shell to your openHAB machine or you can tunnel other traffic through it like VNC.

And to elaborate on Lucky’s comment, OpenVPN is a service YOU set up and run and maintain. There are complicated setups you can use to isolate devices but by default a computer connected over OpenVPN will be on the same LAN. That’s the purpose of a VPN. It lets you join a remote computer to your network securely.

And depending on how you set it up, when connected to the VPN, the remote device will no longer be able to see its LAN.


(Yannick Schaus) #13

If you’re in Europe you might consider getting a Scaleway C1 for 3 euros a month, and install OpenVPN on it. They have a pre-made image you can deploy.
What’s interesting is, since it’s an ARM architecture, I was able to install Pi-Hole on it (normally designed for Raspberry Pis) and configure OpenVPN to tell the clients to use the Pi-Hole’s DNS server over the VPN, so when I’m away from home (I also have a local Pi-Hole) I connect my non-rooted Android phones to the VPN and the ads automagically disappear in browsers and apps :slight_smile:


(Branden Smale) #14

so is there a way to install something that i can only access their pi, not the whole network


(Branden Smale) #15

maybe team viewer?


(Branden Smale) #16

ok, so there is vnc, vpn, and reverse proxy, though i dont know which would work for me. guess id like to use vscode, but only access the oh server on the remote network. any more suggestions?


(Rich Koshak) #17

You will have to pay a license to use team viewer professionally. That may or may not be a deal killer for you.

The most straightforward approach would be to open up port 22 on their gateway and ssh to the raspberry pi using cert only logins. You can then tunnel VNC or even samba over the ssh tunnel and use VSCode. But it will require configuration of their gateway.

There are third-party services that let you access a RPi over the internet without opening a port but I’ve no experience with them. But I would seriously consider them.

For other ideas see

These are three completely separate things that do nothing in common with each other.

  • VNC is a remote desktop protocol that lets you bring up and interact with a view of a remote X-Windows desktop. That would let you “sit in front of” the RPi but it does nothing for you to actually connect to the remote RPi over the internet.

  • VPN is a way to let a remote computer securely join and appear on your LAN from over the Internet. It does nothing to actually let you connect to the specific machine (i…e you still need to use ssh or VNC or something like that), it just gives you a local IP you can use to reach the machine.

  • Reverse proxy hasn’t been mentioned yet and it really is not applicable to this problem. A reverse proxy is a way to interject a web server between the caller and the actual application so that one can do load balancing, implement additional security, and/or make multiple applications appear as one.


(Thomas Binder) #18

Unfortunately I have a Carrier-grade NAT (CGN) on my remote location on my openHAB cottage in the mountains and I failed to have LAN2LAN VPN via two Fritz.Boxes.
As this thread keeps all the pros: is there a way to have a bidirectional VPN between the two, of one is n NAT?
I can connect to my Fritz.box VPN, but I’m afraid that only works one-way, doesn’t it?

Is there a way without a cloud VPN to connect bidirectional?


(Branden Smale) #19

Thanks Rich, you are always very informative. Ill look into it.


(Rich Koshak) #20

I’m not sure I understand your setup.

The way OpenVPN works (or most other IPSEC/VPN technologies) is you set up a server. A lot of routers/firewalls will have an OpenVPN server built in. You need to expose the OpenVPN port to the Internet (I don’t remember the port off the top of my head) and have a dyndns or static IP. If you are hosting the server on a computer behind your firewall you need to set up port forwarding.

There are tutorials online for how to create the various certs and client config files but usually if you have a gateway or firewall that supports it there will be a wizard that asks a bunch of questions and spits out those files for you.

Presumably, you would run this VPN on your home Fritz.Box or on a machine behind that box in your main home.

On your remote machine in the cottage you install an OpenVPN client on the machine(s) you want to be accessible to/from your home network. Take the config file the wizard generated or you created by hand and pass that to the OpenVPN client and have it connect. The client will reach out over the network to your home OpenVPN server and establish an encrypted connection.

At this point, the remote machine can see all the machines on your LAN and all the machines on your LAN can see your
remote machine. However, one thing to be aware of is the OpenVPN LAN is separate from your LAN and from the remote LAN. This means that your remote machine will have a different IP address in a different subnet from your local LAN and that IP is unlikely to be the same as its IP on it’s LAN. I believe there is a way pin certain clients to certain VPN addresses but, for example, your home LAN is 192.168.1.x and your cottage LAN is 192.168.1.x your VPN LAN might be 10.0.8.x.