strategic advice

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
antioch0
OpenVpn Newbie
Posts: 3
Joined: Sun May 20, 2018 4:42 pm

strategic advice

Post by antioch0 » Sun May 20, 2018 5:07 pm

due to the poor state of broadband connectivity in the us, and just how overwhelmingly at&t sucks, im being forced to come up with a novel solution to what should otherwise be something today's 3rd grader could easily setup with the cheapest of hardware.

my issue is that i have some services i host at home, namely ip cameras, to which i need remote access but that att wont allow (despite their marketing promises to the contrary). it seems no incoming connections at all are allowed using att's home base cell modem. so im thinking i need to 1) setup openvpn server on an ubuntu 16.04 box i already rent, 2) configure my dd-wrt router at home for persistent connection to the publicly accessible ubuntu openvpn server, 3) dial into that same vpn server from my remote device to view resources hosted at home.

while i have some vpn experience, and now some linux experience, ive never played with openvpn server, though i have used the client on my dd-wrt router to successfully connect to another paid vpn service. so my questions are thusly: is this arrangement possible with openvpn? if so, would someone be kindly enough to point me in the right direction to begin my research into the correct config? i dont need spoon-fed the configuration as i enjoy the learning process immensely. maybe just some keywords to set me on the right path to begin my reading...

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: strategic advice

Post by TinCanTech » Sun May 20, 2018 5:54 pm

antioch0 wrote:
Sun May 20, 2018 5:07 pm
i dont need spoon-fed the configuration as i enjoy the learning process immensely. maybe just some keywords to set me on the right path
Cutting to the chase .. google openvpn howto

antioch0
OpenVpn Newbie
Posts: 3
Joined: Sun May 20, 2018 4:42 pm

Re: strategic advice

Post by antioch0 » Fri May 25, 2018 9:02 pm

so rtfm then? nice!

anyone else want to give it a shot?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: strategic advice

Post by TinCanTech » Fri May 25, 2018 9:24 pm

TinCanTech wrote:
Sun May 20, 2018 5:54 pm
antioch0 wrote:
Sun May 20, 2018 5:07 pm
i dont need spoon-fed the configuration as i enjoy the learning process immensely. maybe just some keywords to set me on the right path
Cutting to the chase .. google openvpn howto
antioch0 wrote:
Fri May 25, 2018 9:02 pm
so rtfm then? nice!

anyone else want to give it a shot?
But I thought you said: "i enjoy the learning process immensely" ..

Here is some more information:
https://community.openvpn.net/openvpn/wiki/TitleIndex

antioch0
OpenVpn Newbie
Posts: 3
Joined: Sun May 20, 2018 4:42 pm

Re: strategic advice

Post by antioch0 » Fri May 25, 2018 11:24 pm

i also said anyone else.

antioch4
OpenVpn Newbie
Posts: 1
Joined: Sat Jul 28, 2018 5:02 pm

Re: strategic advice

Post by antioch4 » Sat Jul 28, 2018 5:26 pm

to answer my own questions (helpfully): yes, the arrangement i outline IS possible. the server config file will need attention paid to the push, client-config-dir and route directives. a ccd directory containing files for the server and each client should be created with ifconfig-push and iroute directives in the server file, and ifconfig-push directives in the client files.

MikeRobinson
OpenVpn Newbie
Posts: 16
Joined: Fri Aug 03, 2018 1:46 am

Re: strategic advice

Post by MikeRobinson » Fri Aug 03, 2018 2:08 am

Any Internet service provider will only get you to your home, not inside. If you run an OpenVPN server at your home (properly guarded, of course, with one-of-a-kind digital certificates and tls-auth so that no one can find it), it will effectively serve as a "secure router" allowing you to now reach addresses on the other side. Your server should "push" the appropriate routes, and your client must specify "pull."

Be careful of IP-address conflicts: the cameras and such need to have addresses which are different from those of, say, your friendly Internet café, so that the routing rules will work. (This, of course, is just "basic TCP/IP routing stuff.")

To begin with: the computer that's running the OpenVPN server must be able to ping the devices within your home network. So that, when traffic pops out of the server process, bound for a particular gadget, it can get there and return.

Bear in mind that your traffic will arrive bearing a 10.8.0.x IP-address, since you're connecting directly to your server, and your home router therefore must know to forward that traffic to the OpenVPN server-box for final delivery back to you! This is done with a static-routing rule on the physical device. (Specify the physical IP-address of the server box within your home network, and cause your router to assign that machine a fixed address.)

When you connect, listing your remote computer's TCP/IP routing rules should show routes leading to these devices, through the utun0 virtual interface. You should be able to "ping" them successfully from the outside.

As always, traceroute is your best friend. If you see it "spitting out rows of asterisks," it means that there was no return routing-specification at that "hop." (The traffic knew how to get there, but an "echo" didn't know how to get back home.) All TCP/IP routing must cover "there and back again," and in this capacity "OpenVPN is just a router."

CCD's (and therefore, iroute) are not applicable in this case. They only apply when one remote computer that's connected to the server hosts a subnet of its own, which is not the case here. (The CCD tells OpenVPN which remote to send that traffic to.) In your case, your OpenVPN server has direct addressability to the gadgets.

Post Reply