• Re: Simplest 3G/4G connection for Pi, must work headless and stand-alon

    From Chris Green@3:770/3 to Computer Nerd Kev on Mon Dec 28 10:55:53 2020
    Computer Nerd Kev <not@telling.you.invalid> wrote:
    Chris Green <cl@isbd.net> wrote:
    Theo <theom+news@chiark.greenend.org.uk> wrote:
    Chris Green <cl@isbd.net> wrote:
    OK, my current WiFi set up is (as a mobile connection would be) behind >> > a NAT router and I set up reverse ssh tunnels to allow me to connect
    'on demand' to the Pi (BBB). So I can do exactly the same using the
    mobile data connection.

    Will the mobile provider object to the connection being up all the
    time but with virtually no data going through it?

    Mobile networks are often quite aggressive at killing idle connections
    through their CG-NAT - 30 seconds idle is common, for example. To avoid >> that you have to send keepalives, which will gradually consume your data >> allowance.

    But a keepalive is only a character (or two), even if it sends a TCP
    packet as a result that's 1500 bytes. Say 600 keepalives per Mb,
    that's only a few Mb per day which shouldn't cost too much.

    This depends on the provider. I've been using mobile broadband for
    my home internet for years, from various providers. At least one
    rounded up the data used over certain connection periods for
    charging purposes. Maybe you'll avoid that if the connection never
    does go dead, but on the other hand it might trigger regular
    round-ups to 1MB just because an open connection gets rounded up
    to 1MB every so often by their system.

    This is a "try it and see" sort of thing, terms of service
    documents can be long and detailed, but often don't actually match
    the reality of how their system works. Some providers round up by
    KB instead of MB, by the way.

    This is based on experience with mobile broadband providers in
    Australia only.

    Yes, absolutely, trying to find the *actual* way they charge is very
    often well nigh impossible and they usually don't know themselves (or
    at least the people you talk to don't know).

    --
    Chris Green


    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Chris Green@3:770/3 to Computer Nerd Kev on Mon Dec 28 10:58:43 2020
    Computer Nerd Kev <not@telling.you.invalid> wrote:
    The Natural Philosopher <tnp@invalid.invalid> wrote:
    On 27/12/2020 14:12, David Higton wrote:

    If you have no idea of its IP address, then it gets somewhat harder.

    By definition on a mobile network its behind a HUGE NAT proxy. Unless
    you are supremely lucky and you het an IPV6 address

    Yes that's the case for any "normal" account. In Australia there
    is/was at least one reseller offering mobile broadband accounts
    with a fixed IPv4 address, on either the Telstra or Optus networks.
    You paid for it of course, but it wasn't big $$$.

    Odds are that the OP isn't in Australia, so I won't bother trying to
    dig up the link. But I'm guessing that there would be similar
    options in their country if they looked hard enough. Mobile
    broadband is now used quite a bit in industry for this sort of
    thing.

    OP here - I'm in the UK but the system this is for will be in France.
    So digging out specialist providers and such is one level more
    difficult than doing it 'at home'.

    --
    Chris Green


    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Joe@3:770/3 to Chris Green on Mon Dec 28 11:07:23 2020
    On Sun, 27 Dec 2020 21:34:33 +0000
    Chris Green <cl@isbd.net> wrote:

    Joe <joe@jretrading.com> wrote:
    On Sun, 27 Dec 2020 20:28:52 +0000
    Chris Green <cl@isbd.net> wrote:

    Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:


    You have also a need to provide routing from the internal
    network to the OpenVPN daemon for the subnet (or host) to
    tunnel via the VPN.
    Ay? I'm not at all sure what you mean by this.


    I think what he means is that using a VPN from a single computer
    doesn't need any routing changes, but if you want one computer to
    handle VPN for other local computers, and the VPN machine is not the network's default gateway, then you need to tell the other computers
    that the VPN computer is the gateway to the distant network. The
    simplest way is with a DCHP configuration. I recall using a Win2000 workstation as a VPN server for a remote office and needing to do
    this.
    Hmm!! I don't see how that makes sense. 'Using VPN from a single
    computer' when the 'single computer' is on a LAN - but then it all
    goes to pot doesn't it? Either the computer is on one's LAN or it's
    in a VPN with the remote but it can't really do both can it?

    Yes, it can. A VPN client behaves as a computer with two (or more)
    network interfaces. A single workstation client will by default route
    its outgoing packets to its VPN client software for transmission down
    the tunnel (obviously except the VPN protocol packets themselves,
    which are routed as normal through the computer's hardware network
    interface), but the hardware interface can still accept packets from
    other local computers, and may be configured to also route some or all
    of them into the VPN. It's also obvious why the network address for
    local LAN and remote network must be different, having the same network
    address on two interfaces of the same computer never works well.

    Three VPN scenarios:

    1) Default gateway router is a VPN client to a remote network. All
    outgoing packets (except the VPN protocol itself) go through the VPN.
    All computers using the router automatically use the VPN with no change
    in routing necessary.

    2) Single workstation is the VPN client. All its packets route through
    the VPN. No routing change required. All other computers in the local
    LAN unaffected.

    3) Computer within the LAN (i.e. not the default gateway) is the VPN
    client to the remote network. Other local computers which wish to use
    the VPN must treat the VPN client as the gateway to the remote
    network(s), so a routing change in the client is required, as well as
    enabling IP forwarding in the VPN computer and possibly adjusting its
    firewall.

    The first and last are 'site-to-site' VPNs, handling multiple clients.
    Best done by scenario 1), but can be done by 3) if the gateway cannot
    be a client of the VPN type required. Most modern routers can be client
    or server to some VPN types e.g. IPSec and PPTP, but not usually
    OpenVPN.

    Note that many types of VPN (e.g. IPSec and PPTP) can only support one
    tunnel between a given pair of IP addresses. OpenVPN can use any port,
    so multiple tunnels are allowed, but IPSec and PPTP both use a TCP
    control channel and another IP protocol which does not have the concept
    of ports. So two or more workstations within the same (NATed) LAN must
    use site-to-site to reach the same remote network if using one of these
    VPN types.

    --
    Joe

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From druck@3:770/3 to Chris Green on Mon Dec 28 11:40:58 2020
    On 27/12/2020 20:28, Chris Green wrote:
    Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:
    On 27.12.20 20.04, Chris Green wrote:
    If your OpenVPN machine is not the same as the incoming firewall/router,
    you do need port forward from the outside to the OpenVPN machine. The
    usual port is UDP/1194.

    You have also a need to provide routing from the internal network
    to the OpenVPN daemon for the subnet (or host) to tunnel via the VPN.

    Ay? I'm not at all sure what you mean by this.

    Here's your network

    a) Router
    b) OpenVPN server
    c) Other local machine(s)

    and

    d) Remote machine

    You need to set up your router so it forwards port UDP/1194 to the IP
    address of OpenVPN server (b), as the OpenVPN client on (d) will connect
    to the external (WAN) address of (a), and this traffic is handled by (b).

    The OpenVPN server on (b) will assign a private subnet for the remote
    devices which is different to your local network subnet. When OpenVPN
    server is running on the router it will use DHCP to tell the other local machines (c) to route this subnet through it. But if you are using a
    separate OpenVPN server (b), you either need to manually add a route to
    its DHCP table, or set up the routing on each the other machines (c) so
    the remote subnet is routed via (b), rather than defaulting to the router.

    That all seemed a lot easier to explain before I started writing this post!

    ---druck

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From druck@3:770/3 to Joe on Mon Dec 28 11:20:13 2020
    On 28/12/2020 11:07, Joe wrote:
    The first and last are 'site-to-site' VPNs, handling multiple clients.
    Best done by scenario 1), but can be done by 3) if the gateway cannot
    be a client of the VPN type required. Most modern routers can be client
    or server to some VPN types e.g. IPSec and PPTP, but not usually
    OpenVPN.

    Asus router support OpenVPN client and server out of the box. Any router supported by OpenWrt is also OK.

    ---druck

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Deloptes@3:770/3 to Chris Green on Mon Dec 28 14:01:00 2020
    Chris Green wrote:

    OP here - I'm in the UK but the system this is for will be in France.
    So digging out specialist providers and such is one level more
    difficult than doing it 'at home'.

    I have my parents in another country and they use linux PC. I and they have dynamic IP.

    I have setup DDNS with no-ip.org at home and have a physical PC (industrial Geode from 2007) that I use as firewall and VPN (with OpenVPN). On the
    modem I configured forwarding of all traffic to the FW. On my parents PC I
    have a script that checks a URL on my home apache server (vie the DDNS)
    that simply replies with YES or NO. If YES it starts the OpenVPN on the
    remote (my parents) PC and connects to my FW if NO it stops the VPN on the remote PC. Then when connected, I use the VPN IP to connect to their PC in
    the VPN network.

    Same can be achieved with mobile network - there are hubs with SIM cards to provide internet in regions where there is no fast internet connection, or simply to carry with you and use anywhere. The process would be the same because what matters is the DDNS and your VPN. As soon the client connects
    to the server you can access the client over the VPN IP. As it was stated
    you have to "push" the routes from/to your local network.

    So you say you are located in the UK and have a local network with, let's
    say, 192.168.1.0/24. Your VPN has 10.1.1.0/24. The OpenVPN will push a
    route to the client in France to the gateway in 192.168.1.0 and route the traffic from 10.1.1.0 to 192.168.1.0. This way you can access anything on 10.1.1.0 from 192.168.1.0.

    I got tired following the whole thread ... the described setup is a common practice and I do not understand why so many posts. Forgive me if I
    repeated or misunderstood something.

    I do not know what was mentioned regarding OpenVPN setup, but it took me a while to understand how it works. I choose certificate based
    authentication. So I had to create and deploy certificates for and to the clients I use. This way the client can connect without providing password.

    Another use of this is when I travel - from the companies Windows Notebook
    or my linux notebook I can connect on demand to the VPN at home. This setup
    is more than 10y old - I'm not sure but I think I did it in 2008 or 2009 - never failed - except be careful when you update the system of course :)

    regards

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Chris Green@3:770/3 to druck on Mon Dec 28 12:46:56 2020
    druck <news@druck.org.uk> wrote:
    On 28/12/2020 11:07, Joe wrote:
    The first and last are 'site-to-site' VPNs, handling multiple clients.
    Best done by scenario 1), but can be done by 3) if the gateway cannot
    be a client of the VPN type required. Most modern routers can be client
    or server to some VPN types e.g. IPSec and PPTP, but not usually
    OpenVPN.

    Asus router support OpenVPN client and server out of the box. Any router supported by OpenWrt is also OK.

    If a router 'supports VPN' what does that actually mean?

    Presumably it doesn't mean that the router runs as a VPN server, or
    does it?

    If my router supports VPN (which it does, a Draytek 2860N) and I
    enable it what else needs to happen to make it useful? ... and what
    does my LAN behind the router look like, is it *all* on the VPN by
    default or what? ... and how do I connect a remote system to the VPN?


    --
    Chris Green


    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Ahem A Rivet's Shot@3:770/3 to Chris Green on Mon Dec 28 13:22:38 2020
    On Mon, 28 Dec 2020 12:46:56 +0000
    Chris Green <cl@isbd.net> wrote:

    druck <news@druck.org.uk> wrote:

    Asus router support OpenVPN client and server out of the box. Any
    router supported by OpenWrt is also OK.

    If a router 'supports VPN' what does that actually mean?

    There are many varieties of VPN using different protocols OpenVPN
    is just one of them (other common ones are IPSec and PPTP), many consider
    it the best of them.

    Presumably it doesn't mean that the router runs as a VPN server, or
    does it?

    It might depending on what support is on the router - nearly all routers will act as PPTP client not so many as anything else. As mentioned above Asus and routers running OpenWrt support OpenVPN both as client and server.

    If my router supports VPN (which it does, a Draytek 2860N) and I
    enable it what else needs to happen to make it useful? ... and what

    I could be wrong but I'm pretty sure the Draytek routers only
    support being a PPTP client so that they can connect you to a corporate
    VPN. To be certain you'd have to look in the Draytek documentation.

    --
    Steve O'Hara-Smith | Directable Mirror Arrays C:\>WIN | A better way to focus the sun
    The computer obeys and wins. | licences available see
    You lose and Bill collects. | http://www.sohara.org/

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Kurt Weiske@1:218/700 to The Natural Philosopher on Mon Dec 28 08:34:00 2020
    The Natural Philosopher wrote to Joe <=-

    It's a common requirement, and the magic codeword is 'M2M' (machine to machine). You'll probably need to go to a specialist SIM provider, the average high-street phone shop salesman won't have a clue what you're talking about.

    That I did NOT know. That simplifies everything

    We have a handful of T-Mobile 4G hotspots, and that service is
    $5/month, if memory serves. It's a great deal for what possibilities
    it opens up.



    ... Are there sections? Consider transitions
    --- MultiMail/XT v0.52
    * Origin: http://realitycheckbbs.org | tomorrow's retro tech (1:218/700)
  • From Kurt Weiske@1:218/700 to Martin Gregorie on Mon Dec 28 08:37:00 2020
    Martin Gregorie wrote to Chris Green <=-

    IOW it does about the same job as the wifi link on a Pi 3, 4 or Zero W except that it preferentially connects to a 3G or 4G base station
    rather than to the nearest wifi router.

    Getting the carrier to provision them properly may be tough. I have a
    Thinkpad laptop with a SIM slot for a Gobi card, but if I slot in a
    working GSM sim, it doesn't work. Don't know if they're locked to a
    specific carrier or need to be provisioned differently to work.

    kurt weiske | kweiske at realitycheckbbs dot org
    | http://realitycheckbbs.org
    | 1:218/700@fidonet




    --- MultiMail/XT v0.52
    * Origin: http://realitycheckbbs.org | tomorrow's retro tech (1:218/700)
  • From Theo@3:770/3 to Chris Green on Mon Dec 28 16:53:52 2020
    Chris Green <cl@isbd.net> wrote:
    OP here - I'm in the UK but the system this is for will be in France.
    So digging out specialist providers and such is one level more
    difficult than doing it 'at home'.

    Just a thought, but have you considered using SMS to ask the remote end to initiate the connection?

    You send a text saying 'wake up now', the boat receives it, 'dials' a 3G/LTE connection and connects to your VPN (or SSH tunnel). Now you can access it. After a while of inactivity it drops the connection and goes back to sleep.

    If the duty cycle is low (eg you connect for 5 minutes a week) it could work out cheaper than having an always-on VPN connection that's consuming traffic
    in keepalives.

    That also means you can use any SIM you like, so pick whatever tariff suits you.

    Typically, dongles provide multiple USB-UART channels - one for the PPP data connection, another for signal stats and SMS, maybe a third for something
    else (GPS?). I don't know the best framework for handling the SMS side, but
    at the least something polling it with AT commands would do.

    Theo

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Martin Gregorie@3:770/3 to Kurt Weiske on Mon Dec 28 17:40:41 2020
    On Mon, 28 Dec 2020 08:37:00 +1300, Kurt Weiske wrote:

    Getting the carrier to provision them properly may be tough. I have a
    Thinkpad laptop with a SIM slot for a Gobi card, but if I slot in a
    working GSM sim, it doesn't work. Don't know if they're locked to a
    specific carrier or need to be provisioned differently to work.

    Fair comment. The only GSM dongle I've tried or needed to try, back in
    2004, came with a Vodafone sim. However, it turned out that I was in a
    not-spot where the dongle would connect, but couldn't transfer data.

    Fortunately, I was able to send it back and get a refund.

    BTW, the program I used to access the dongle on an old Lenovo running Red
    Hat Linux 7.1 (that dates it!), gcom, was a command-line utility that
    executed a user-modifiable script to connect to the network and manage
    data transfers. I don't know if its still around or needed, but the documentation was excellent and all in its manpage.


    --
    --
    Martin | martin at
    Gregorie | gregorie dot org

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Axel Berger@3:770/3 to Kurt Weiske on Mon Dec 28 20:00:27 2020
    Kurt Weiske wrote:
    We have a handful of T-Mobile 4G hotspots, and that service is
    $5/month, if memory serves.

    That actually sounds reasonable. Whenever I come across a non-free
    hotspot around here it's something like 5$ per hour. I'm never sure
    whether it's me losing his mind and going off the rocker or they are.


    --
    /痋 No | Dipl.-Ing. F. Axel Berger Tel: +49/ 221/ 7771 8067
    \ / HTML | Roald-Amundsen-Stra遝 2a Fax: +49/ 221/ 7771 8069
    燲 in | D-50829 K鰈n-Ossendorf http://berger-odenthal.de
    / \ Mail | -- No unannounced, large, binary attachments, please! --

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Joe@3:770/3 to Chris Green on Mon Dec 28 22:37:11 2020
    On Mon, 28 Dec 2020 12:46:56 +0000
    Chris Green <cl@isbd.net> wrote:

    druck <news@druck.org.uk> wrote:
    On 28/12/2020 11:07, Joe wrote:
    The first and last are 'site-to-site' VPNs, handling multiple
    clients. Best done by scenario 1), but can be done by 3) if the
    gateway cannot be a client of the VPN type required. Most modern
    routers can be client or server to some VPN types e.g. IPSec and
    PPTP, but not usually OpenVPN.

    Asus router support OpenVPN client and server out of the box. Any
    router supported by OpenWrt is also OK.

    If a router 'supports VPN' what does that actually mean?

    There are two levels: first is to pass the VPN protocol at all, in
    either direction. This isn't relevant to OpenVPN, but some other types
    of VPN use two channels like FTP. Like FTP, they require a conntrack
    module in the stateful firewall to associate the two channels, to allow
    one to pass when only the other has been seen by the firewall. I've
    seen routers that supposedly have 'PPTP passthrough' which do not, in
    fact, do it correctly. VPNs are an afterthought to router
    manufacturers. Draytek was always notable for having better VPN
    implementations than most other makes at a comparable price.

    Secondly there is actual VPN client or server support, often described
    as 'VPN endpoint'.

    Presumably it doesn't mean that the router runs as a VPN server, or
    does it?

    At the second level, yes.

    If my router supports VPN (which it does, a Draytek 2860N) and I
    enable it what else needs to happen to make it useful?

    It depends on the type of VPN. Some like OpenVPN are normally secured
    by certificates, some just by password. They will often need a key at
    both ends for use in the symmetrical encryption. Asymmetrical encryption
    can be provided by the certificate, but that is generally too slow to
    have a decent performance.

    ... and what
    does my LAN behind the router look like, is it *all* on the VPN by
    default or what? ... and how do I connect a remote system to the VPN?


    If the router is the endpoint, then all the LAN is potentially
    available to the client. If the router has a decent firewall user
    interface, then access can be tailored so that only certain LAN
    computers are visible. Ideally the router should connect to the LAN via
    a separate firewall computer running iptables or nftables, which allow
    very fine-grained control in forwarding. Of course, the LAN computer
    firewalls can also permit packets on only certain ports when arriving
    from the router.

    ... and how do I connect a remote system to the VPN?

    Give the VPN client the public IP address or hostname, and tell it to
    connect. Network Manager works fairly well these days, and has plugins
    for some VPNs. Obviously arrange for the client to have any keys or certificates it requires. It is wise to have human intervention required
    e.g. to have a private key encrypted with a good passphrase which is not entrusted to the VPN client, so if the key becomes compromised it can
    be cancelled and replaced without much risk of intrusion. I keep
    OpenVPN, ssh and other keys on a USB stick in my wallet, so even if I
    lose a laptop, my home network is still safe, and if I lose the wallet,
    the encryption passphrase isn't stored on the stick.

    --
    Joe

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Richard Falken@1:123/115 to Chris Green on Mon Dec 28 18:23:40 2020
    Re: Re: Simplest 3G/4G connection for Pi, must work headless and stand-alo
    By: Chris Green to druck on Mon Dec 28 2020 12:46 pm

    If a router 'supports VPN' what does that actually mean?

    Presumably it doesn't mean that the router runs as a VPN server, or
    does it?

    If my router supports VPN (which it does, a Draytek 2860N) and I
    enable it what else needs to happen to make it useful? ... and what
    does my LAN behind the router look like, is it *all* on the VPN by
    default or what? ... and how do I connect a remote system to the VPN?

    VPN capable routers are used mainly for enterprise /small businesses.

    The idea is that you have an office in Berlin with LAN A, and an office in Washington with LAN B. You configure your routers to establish a virtual private network between them so both LANS are merged (sort of).

    ie:

    LAN A has subnet 192.168.10.0/

    LAN B has 192.168.20.0/

    The router generated VPN makes it so a computer in LAN A can use a network printer with ip 192.168.20.5 in LAN B, access a file server which is not allowed traffic to the open internet at 192.168.20.11 (LAN B) etc as if both networks where directl帽y connected, instead of separated by the whole Internet. In fact the connection between the two networks is encrypted and thus deemed private.

    This is the most common scenario that you find documented for VPN enabled routers, followed by the road-warrior setup (you use VPN in order to allow a laptop using an insecure LAN connect to your office in Berlin and access resources in LAN A as if the laptop was in Berlin's office).

    --
    gopher://gopher.richardfalken.com/1/richardfalken
    --- SBBSecho 3.11-Linux
    * Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (1:123/115)
  • From Chris Green@3:770/3 to Joe on Tue Dec 29 09:59:11 2020
    Joe <joe@jretrading.com> wrote:

    If my router supports VPN (which it does, a Draytek 2860N) and I
    enable it what else needs to happen to make it useful?

    It depends on the type of VPN. Some like OpenVPN are normally secured
    by certificates, some just by password. They will often need a key at
    both ends for use in the symmetrical encryption. Asymmetrical encryption
    can be provided by the certificate, but that is generally too slow to
    have a decent performance.

    I guess that's part of my issue with all this. I don't need speed,
    all I need is something fast enough to handle interactive terminal
    usage. Neither do I need security, the remote system has no personal information on it at all, the only data to be stolen is temperatures,
    voltages and other measurements on my boat.

    All I need is a reliable piece of wet string between me and the SBC on
    the boat. :-)


    ... and what
    does my LAN behind the router look like, is it *all* on the VPN by
    default or what? ... and how do I connect a remote system to the VPN?


    If the router is the endpoint, then all the LAN is potentially
    available to the client. If the router has a decent firewall user
    interface, then access can be tailored so that only certain LAN
    computers are visible. Ideally the router should connect to the LAN via
    a separate firewall computer running iptables or nftables, which allow
    very fine-grained control in forwarding. Of course, the LAN computer firewalls can also permit packets on only certain ports when arriving
    from the router.

    I don't need or want any of that, the remote machine doesn't need to
    be able to see my home LAN at all, it's the other direction I need.


    ... and how do I connect a remote system to the VPN?

    Give the VPN client the public IP address or hostname, and tell it to connect. Network Manager works fairly well these days, and has plugins
    for some VPNs.

    It's a headless system so command line only and I want it to be able
    to boot up into a connected state without any local interaction.


    Obviously arrange for the client to have any keys or certificates it requires. It is wise to have human intervention required
    e.g. to have a private key encrypted with a good passphrase which is not entrusted to the VPN client, so if the key becomes compromised it can
    be cancelled and replaced without much risk of intrusion. I keep
    OpenVPN, ssh and other keys on a USB stick in my wallet, so even if I
    lose a laptop, my home network is still safe, and if I lose the wallet,
    the encryption passphrase isn't stored on the stick.

    Yes, VPNs aren't really designed for what I want to do are they!

    It's possible to use a VPN to get to what I want but it's hardly the obvious/ideal way to do it.

    I think in reality my existing setup (behind a WiFi NAT firewall)
    using ssh tunnels is much closer to what I need than a VPN. It'll
    work just as well behind a 3G/4G router that's NAT'ted.

    --
    Chris Green


    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Chris Green@3:770/3 to Richard Falken on Tue Dec 29 09:43:04 2020
    Richard Falken <nospam.Richard.Falken@f1.n770.z6212.fidonet.org> wrote:
    Re: Re: Simplest 3G/4G connection for Pi, must work headless and stand-alo
    By: Chris Green to druck on Mon Dec 28 2020 12:46 pm

    If a router 'supports VPN' what does that actually mean?

    Presumably it doesn't mean that the router runs as a VPN server, or
    does it?

    If my router supports VPN (which it does, a Draytek 2860N) and I
    enable it what else needs to happen to make it useful? ... and what
    does my LAN behind the router look like, is it *all* on the VPN by
    default or what? ... and how do I connect a remote system to the VPN?

    VPN capable routers are used mainly for enterprise /small businesses.

    The idea is that you have an office in Berlin with LAN A, and an office in Washington with LAN B. You configure your routers to establish a virtual private network between them so both LANS are merged (sort of).

    ie:

    LAN A has subnet 192.168.10.0/

    LAN B has 192.168.20.0/

    The router generated VPN makes it so a computer in LAN A can use a network printer with ip 192.168.20.5 in LAN B, access a file server which is not allowed traffic to the open internet at 192.168.20.11 (LAN B) etc as if both networks where directl??y connected, instead of separated by the whole Internet. In fact the connection between the two networks is encrypted and thus
    deemed private.

    This is the most common scenario that you find documented for VPN enabled routers, followed by the road-warrior setup (you use VPN in order to allow a laptop using an insecure LAN connect to your office in Berlin and access resources in LAN A as if the laptop was in Berlin's office).

    Thanks for that beautifully clear explanation, it's this sort of thing
    that is *far* from obvious when you look at how tos for VPNs.

    I guess it's the 'road-warrior setup' is nearest to what I want to do
    though in reality the 'insecure LAN' involved is just one computer.

    --
    Chris Green


    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From A. Dumas@3:770/3 to Chris Green on Tue Dec 29 10:30:44 2020
    Chris Green <cl@isbd.net> wrote:
    Neither do I need security, the remote system has no personal
    information on it at all, the only data to be stolen is temperatures, voltages and other measurements on my boat.

    You do need security, to prevent it from being taken over by a
    botnet/hacker and getting you banned from the network. Also if you have a
    vpn connection, it's effectively on your home lan.

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Chris Green@3:770/3 to A. Dumas on Tue Dec 29 10:46:20 2020
    A. Dumas <alexandre@dumas.fr.invalid> wrote:
    Chris Green <cl@isbd.net> wrote:
    Neither do I need security, the remote system has no personal
    information on it at all, the only data to be stolen is temperatures, voltages and other measurements on my boat.

    You do need security, to prevent it from being taken over by a
    botnet/hacker and getting you banned from the network.

    To prevent what "from being taken over by a botnet/hacker"? If they
    break into my boat and have access to the computer there then there's absolutely nothing that using a VPN will prevent. As I've said it has
    to be capable of restarting with the connection in place without my interaction. A VPN doesn't help in the slightest as far as I can see.

    Also if you have a
    vpn connection, it's effectively on your home lan.

    Exactly the problem, I don't need this at all. I want communication
    in the other direction only.

    Getting back to my original requirement:-

    I want to communicate *from* my home system to a headless SBC.

    The headless SBC (Pi or whatever) can connect to the internet but
    it's almost certainly going to be behind a NAT/firewall of some
    sort.

    --
    Chris Green


    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From A. Dumas@3:770/3 to Richard Falken on Tue Dec 29 10:28:14 2020
    Richard Falken <nospam.Richard.Falken@f1.n770.z6212.fidonet.org> wrote:
    The idea is that you have an office in Berlin with LAN A, and an office in Washington with LAN B. You configure your routers to establish a virtual private network between them so both LANS are merged (sort of).

    ie:
    LAN A has subnet 192.168.10.0/
    LAN B has 192.168.20.0/

    Yes, and this is a nice gotcha if you want to connect two networks behind
    the same type of modem/from one isp; they are bound to use the same subnet, just their default settings; so the vpn connection won't work. I had this
    once on different modems/isp's; apparently 192.168.178.0 is a popular
    choice. Solution is to give one of them a different subnet.

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From The Natural Philosopher@3:770/3 to Theo on Tue Dec 29 10:54:48 2020
    On 28/12/2020 16:53, Theo wrote:
    Chris Green <cl@isbd.net> wrote:
    OP here - I'm in the UK but the system this is for will be in France.
    So digging out specialist providers and such is one level more
    difficult than doing it 'at home'.

    Just a thought, but have you considered using SMS to ask the remote end to initiate the connection?

    How does a Pi receive SMS?

    How does a phone receive SMS if it isn't 'always on'

    I don't know the best framework for handling the SMS side, but
    at the least something polling it with AT commands would do.

    because its always on?



    --
    鈥渨hen things get difficult you just have to lie鈥

    鈥 Jean Claud J眉ncker

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Jan Panteltje@3:770/3 to cl@isbd.net on Tue Dec 29 11:18:03 2020
    On a sunny day (Tue, 29 Dec 2020 09:59:11 +0000) it happened Chris Green <cl@isbd.net> wrote in <f8brbh-qhf2.ln1@esprimo.zbmc.eu>:

    I guess that's part of my issue with all this. I don't need speed,
    all I need is something fast enough to handle interactive terminal
    usage. Neither do I need security, the remote system has no personal >information on it at all, the only data to be stolen is temperatures, >voltages and other measurements on my boat.

    All I need is a reliable piece of wet string between me and the SBC on
    the boat. :-)

    Depends on your programing skills
    I wrote
    smsio.c
    http://panteltje.com/panteltje/newsflex/download.html#smsio
    it receives SMS with a Huawei 3G/4G modem and then executes a script (that you will need to write to do things).
    In that script (up to you) you should parse for YOUR phone number and some commands (like "knock out pirates" or "stop motor").

    The other way around, from boat to your phone via SMS, I wrote the script 'ssms'
    it is part of xgpspc:
    http://panteltje.com/panteltje/xgpspc/index.html
    scroll down to
    Anchor drift and water in boat alarm with SMS and PMR radio alert

    Very basically it works like this, raspi measures things like GPS location, water level in bilge, some other things, compares it to some setpoints,
    and sends SMS to your phone every 15 minutes if an error condition persists.
    It can notify over radio too if needed.

    You can repy to that SMS from your phone with an other SMS with some predefined commands as shown above.

    But anyways ssms (send SMS part of xgpspc) is like this:
    #!/bin/bash

    # ssms
    # sends SMS message to a Huawei G3 USB stick, stick must be in data mode with usb_modeswitch

    let error=0

    if [ "$1" == "" ]
    then
    let error=1
    fi

    if [ "$2" == "" ]
    then
    let error=1
    fi

    if [ "$3" == "" ]
    then
    let error=1
    fi

    if [ "$4" == "" ]
    then
    let error=1
    fi

    if [ $error == "1" ]
    then
    echo "Usage:"
    echo "ssms PIN phone_number device_name message"

    echo "Example:"
    echo "ssms 1234 31612345678 /dev/ttyUSB4 \"hello there\""

    echo " WARNING ssms WILL NOT WARN IF WRONG PIN IS ENTERED!!!!"
    exit 1
    fi

    # For now we ignore any response from the USB modem
    # so if it does not work you don't know why.

    # send PIN
    echo -en "AT+CPIN=\"$1\"\r" > $3
    sleep 1

    # request text mode
    echo -en "AT+CMGF=1\r" >> $3 sleep 1

    # send phone number
    echo -en "AT+CMGS=\"+$2\"\r" >> $3
    sleep 1

    # send SMS message 0, terminated with ctrl Z
    echo -en "$4\x1a\r" >> $3

    echo "ready SMS send"

    exit 0



    This then runs on your boat with whatever data you want to send,

    When nothing out of the ordinary happens no SMS is sent.

    Not sure this helps, is more for programmers....

    Some pseudo code:

    while true
    do
    measure water_level
    if( water_level >= up to chin)
    ssms PIN YOUR_PHONENUMBER /dev/ttyUSB1 \"blub blub blub\"
    sleep 10*60
    done

    while true
    do
    measure GPS_position
    if(distance GPS_position - anchor_GPS_position >= 20 meter)
    ssms PIN YOUR_PHONENUMBER /dev/ttyUSB1 \"adrift at $GPS_position\"
    sleep 10*60
    done

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From DeepCore@3:770/3 to All on Tue Dec 29 11:36:34 2020
    Am 29.12.2020 um 11:28 schrieb A. Dumas:
    ... apparently 192.168.178.0 is a popular choice ...

    Yes, it is the standard default on AVM Fritzbox, the de-facto standard
    internet modem+router in Germany.

    Stumbled once over this when trying out VPNs between my network and my parents...

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From The Natural Philosopher@3:770/3 to Kurt Weiske on Tue Dec 29 10:56:33 2020
    On 27/12/2020 19:34, Kurt Weiske wrote:
    The Natural Philosopher wrote to Joe <=-

    > It's a common requirement, and the magic codeword is 'M2M' (machine to
    > machine). You'll probably need to go to a specialist SIM provider, the
    > average high-street phone shop salesman won't have a clue what you're
    > talking about.

    TNP> That I did NOT know. That simplifies everything

    We have a handful of T-Mobile 4G hotspots, and that service is
    $5/month, if memory serves. It's a great deal for what possibilities
    it opens up.

    Indeed it is,

    I wouldnt mkind having e.g. a streaming wildlife camera down te garden,
    out of wifi range



    --
    There is something fascinating about science. One gets such wholesale
    returns of conjecture out of such a trifling investment of fact.

    Mark Twain

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Richard Falken@1:123/115 to Chris Green on Tue Dec 29 06:19:17 2020
    Re: Re: Simplest 3G/4G connection for Pi, must work headless and stand-alo
    By: Chris Green to Richard Falken on Tue Dec 29 2020 09:43 am

    I just had a crazy idea.

    Why don't you set a Tor or I2P hidden service for the service running on your boat?

    You can set an i2p node in your Raspberry, and it will work even if the mobile connection the raspberry uses is behind Carrier Grade NAT or whatever have you.

    Your i2p node can get an i2p address assigned. Then you can access it using an i2p client from anywhere in the world.

    Advantage: easy to deploy.
    Disadvantage: You need to install i2p in any machine you want to access the raspberry from.
    Disadvantage 2: It has a bandwidth overhead, so it may damage your bills if they charge you for data volumes.
    Disadvantage 3: Lag is going to be bad, specially is your mobile signal is bad quality. If the mobile signal is reeeeally bad then this approach becomes unusable in practice.
    --
    gopher://gopher.richardfalken.com/1/richardfalken
    --- SBBSecho 3.11-Linux
    * Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (1:123/115)
  • From A. Dumas@3:770/3 to All on Tue Dec 29 12:29:51 2020
    Op 29-12-2020 om 11:46 schreef Chris Green:
    A. Dumas <alexandre@dumas.fr.invalid> wrote:
    Chris Green <cl@isbd.net> wrote:
    Neither do I need security, the remote system has no personal
    information on it at all, the only data to be stolen is temperatures,
    voltages and other measurements on my boat.

    You do need security, to prevent it from being taken over by a
    botnet/hacker and getting you banned from the network.

    To prevent what "from being taken over by a botnet/hacker"? If they
    break into my boat and have access to the computer there then there's absolutely nothing that using a VPN will prevent.

    To prevent the Raspberry Pi (or Beagle Bone or whatever) from being
    taken over. It isn't about protecting your humidity sensor readings,
    it's to prevent it becoming part of a botnet used for sending spam or
    DDOS attacks. Admittedly a very low chance, they mainly target always-on
    office Windows PC's, but still worth considering, I think, to prevent it
    being cut off by the network owner. And, you know, to be a decent netizen.

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From A. Dumas@3:770/3 to Axel Berger on Tue Dec 29 14:06:31 2020
    On 29-12-2020 13:37, Axel Berger wrote:
    Richard Falken wrote:
    followed by the road-warrior setup

    There is a third common useage, the one I use frequently:
    I VPN to the universtity library and go to a publisher's website. The publisher sees my university IP-address and recognizes me as authorized
    to access his content.

    It is this that allows me to work from home.

    This is ~exactly how the general public now knows "vpn": to pretend to
    be from a different country and circumvent geoblocks on content.
    Unfortunately, but perhaps inherently, these are often dodgy services.

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Axel Berger@3:770/3 to Richard Falken on Tue Dec 29 13:37:17 2020
    Richard Falken wrote:
    followed by the road-warrior setup

    There is a third common useage, the one I use frequently:
    I VPN to the universtity library and go to a publisher's website. The
    publisher sees my university IP-address and recognizes me as authorized
    to access his content.

    It is this that allows me to work from home.


    --
    /痋 No | Dipl.-Ing. F. Axel Berger Tel: +49/ 221/ 7771 8067
    \ / HTML | Roald-Amundsen-Stra遝 2a Fax: +49/ 221/ 7771 8069
    燲 in | D-50829 K鰈n-Ossendorf http://berger-odenthal.de
    / \ Mail | -- No unannounced, large, binary attachments, please! --

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Chris Green@3:770/3 to Axel Berger on Tue Dec 29 13:17:15 2020
    Axel Berger <Spam@berger-odenthal.de> wrote:
    Richard Falken wrote:
    followed by the road-warrior setup

    There is a third common useage, the one I use frequently:
    I VPN to the universtity library and go to a publisher's website. The publisher sees my university IP-address and recognizes me as authorized
    to access his content.

    I do that by using a simple proxy setup, one-liner ssh command,
    configure Firefox to use the proxy and it's done.

    --
    Chris Green


    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From The Natural Philosopher@3:770/3 to A. Dumas on Tue Dec 29 13:42:36 2020
    On 29/12/2020 13:06, A. Dumas wrote:
    On 29-12-2020 13:37, Axel Berger wrote:
    Richard Falken wrote:
    followed by the road-warrior setup

    There is a third common useage, the one I use frequently:
    I VPN to the universtity library and go to a publisher's website. The
    publisher sees my university IP-address and recognizes me as authorized
    to access his content.

    It is this that allows me to work from home.

    This is ~exactly how the general public now knows "vpn": to pretend to
    be from a different country and circumvent geoblocks on content. Unfortunately, but perhaps inherently, these are often dodgy services.

    What the content providers? Yep the UK's BBC (boy buggering communists
    as we call em )are distinctly dodgy ....and you need a VPN or some sort
    of proxy to access them from overseas.


    --
    "In our post-modern world, climate science is not powerful because it is
    true: it is true because it is powerful."

    Lucas Bergkamp

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Kees Nuyt@3:770/3 to Deloptes on Tue Dec 29 14:56:07 2020
    On Mon, 28 Dec 2020 14:01:00 +0100, Deloptes <deloptes@gmail.com> wrote:

    I do not know what was mentioned regarding OpenVPN setup, but it took me a while to understand how it works. I choose certificate based
    authentication. So I had to create and deploy certificates for and to the clients I use. This way the client can connect without providing password.

    Nowadays it's easy to set up a VPN server with
    PiVPN <https://pivpn.io/>

    It supports both WireGuard and OpenVPN. The installation
    is "guided", so it's almost impossible to forget a step.

    Warning: Wireguard is great, but often still breaks after
    apt update/upgrade, so for now I prefer OpenVPN.

    --
    Regards,
    Kees Nuyt

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Axel Berger@3:770/3 to Chris Green on Tue Dec 29 15:00:27 2020
    Chris Green wrote:
    I do that by using a simple proxy setup, one-liner ssh command,
    configure Firefox to use the proxy and it's done.

    It's me, there's a lot I don't know about networks, but I do not
    understand that sentence at all, not one little bit.


    --
    /痋 No | Dipl.-Ing. F. Axel Berger Tel: +49/ 221/ 7771 8067
    \ / HTML | Roald-Amundsen-Stra遝 2a Fax: +49/ 221/ 7771 8069
    燲 in | D-50829 K鰈n-Ossendorf http://berger-odenthal.de
    / \ Mail | -- No unannounced, large, binary attachments, please! --

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From druck@3:770/3 to Chris Green on Tue Dec 29 14:24:44 2020
    On 28/12/2020 12:46, Chris Green wrote:
    If a router 'supports VPN' what does that actually mean?

    Presumably it doesn't mean that the router runs as a VPN server, or
    does it?

    Yes, decent routers such as the ASUS range (I'm currently using a
    RT-ac86u), have built in VPN clients (PPTP, L2TP and OpenVPN) and severs
    (PPTP, OpenVPN and IPSec VPN).

    If my router supports VPN (which it does, a Draytek 2860N) and I
    enable it what else needs to happen to make it useful? ... and what
    does my LAN behind the router look like, is it *all* on the VPN by
    default or what? ... and how do I connect a remote system to the VPN?

    If your router supports a VPN server, everything on your LAN works as it
    does now say on 192.168.1.x but there will be an extra subnet say
    192.168.2.x on which any devices connected to the VPN will appear on.
    For those external devices they will think they are part of the
    192.168.1.x LAN.

    When you create your VPN on the router, it will export a configuration
    text file, which you use with your OpenVPN client. Depending on the
    router this will either be usable as is (as my ASUS was) or need a
    little editing (some clients need it split in to config, key and cert
    files).

    ---druck

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Joe@3:770/3 to A. Dumas on Tue Dec 29 17:04:31 2020
    On 29 Dec 2020 10:28:14 GMT
    A. Dumas <alexandre@dumas.fr.invalid> wrote:

    Richard Falken <nospam.Richard.Falken@f1.n770.z6212.fidonet.org>
    wrote:
    The idea is that you have an office in Berlin with LAN A, and an
    office in Washington with LAN B. You configure your routers to
    establish a virtual private network between them so both LANS are
    merged (sort of).

    ie:
    LAN A has subnet 192.168.10.0/
    LAN B has 192.168.20.0/

    Yes, and this is a nice gotcha if you want to connect two networks
    behind the same type of modem/from one isp; they are bound to use the
    same subnet, just their default settings; so the vpn connection won't
    work. I had this once on different modems/isp's; apparently
    192.168.178.0 is a popular choice. Solution is to give one of them a different subnet.

    I've never seen that one, most default networks I've seen have been
    192.168.0., 192.168.1. or 192.168.254. Occasionally 192.168.16.

    But it should be a matter of course to change a new router's network to something fairly random, when you change the admin password. No, you (or
    your mother) don't want to use a VPN now, but one day you might.

    --
    Joe

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Kurt Weiske@1:218/700 to Kees Nuyt on Tue Dec 29 09:00:00 2020
    Kees Nuyt wrote to Deloptes <=-

    Nowadays it's easy to set up a VPN server with
    PiVPN <https://pivpn.io/>

    Many appliance routers can run DD-WRT or OpenWRT, and it can act as a
    OpenVPN client or server. I'm about to order a Pi, though, and PiVPN
    looks like a nice tool to use instead - and to get familiar with the
    Pi.

    The one thing I've been trying to figure out is how to use OpenVPN to
    route selected traffic through a local node but route the rest over
    the internet. Netflix doesn't like VPNs, and I want to be able to get
    local TV stations outside of my area with an app that limits
    available channels to your local area. I'm hoping it's easier to set
    up than with DD-WRT.

    kurt weiske | kweiske at realitycheckbbs dot org
    | http://realitycheckbbs.org
    | 1:218/700@fidonet




    ... Discover your formulas and abandon them
    --- MultiMail/XT v0.52
    * Origin: http://realitycheckbbs.org | tomorrow's retro tech (1:218/700)
  • From Kurt Weiske@1:218/700 to Axel Berger on Tue Dec 29 09:10:00 2020
    Axel Berger wrote to Chris Green <=-

    Chris Green wrote:
    I do that by using a simple proxy setup, one-liner ssh command,
    configure Firefox to use the proxy and it's done.

    It's me, there's a lot I don't know about networks, but I do not understand that sentence at all, not one little bit.

    The SSH protocol allows for port forwarding, which allows network
    traffic to be routed over it. Connect via SSH to one of the machines
    in your university, configure SSH port forwarding, and with a little
    work all web traffic will go over the ssh tunnel to your university
    and appear to come from your university instead of your home.

    It's a little deep to try and explain off the top of my head, there
    are a lot of tutorials on the web that'll explain it better than I
    can.

    kurt weiske | kweiske at realitycheckbbs dot org
    poindexter fortran | pfortran at realitycheckbbs dot org
    | http://realitycheckbbs.org
    | 1:218/700@fidonet






    ... Discover your formulas and abandon them
    --- MultiMail/XT v0.52
    * Origin: http://realitycheckbbs.org | tomorrow's retro tech (1:218/700)
  • From Chris Green@3:770/3 to Kurt Weiske on Tue Dec 29 18:27:58 2020
    Kurt Weiske <nospam.Kurt.Weiske@f1.n770.z16309.fidonet.org> wrote:
    Kees Nuyt wrote to Deloptes <=-

    Nowadays it's easy to set up a VPN server with
    PiVPN <https://pivpn.io/>

    Many appliance routers can run DD-WRT or OpenWRT, and it can act as a
    OpenVPN client or server. I'm about to order a Pi, though, and PiVPN
    looks like a nice tool to use instead - and to get familiar with the
    Pi.

    The one thing I've been trying to figure out is how to use OpenVPN to
    route selected traffic through a local node but route the rest over
    the internet. Netflix doesn't like VPNs, and I want to be able to get
    local TV stations outside of my area with an app that limits
    available channels to your local area. I'm hoping it's easier to set
    up than with DD-WRT.

    I think a proxy would be easier, if you have some sort of presence in
    the required area of course.

    --
    Chris Green


    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Chris Green@3:770/3 to Kurt Weiske on Tue Dec 29 18:26:18 2020
    Kurt Weiske <nospam.Kurt.Weiske@f1.n770.z16310.fidonet.org> wrote:
    Axel Berger wrote to Chris Green <=-

    Chris Green wrote:
    I do that by using a simple proxy setup, one-liner ssh command,
    configure Firefox to use the proxy and it's done.

    It's me, there's a lot I don't know about networks, but I do not understand that sentence at all, not one little bit.

    The SSH protocol allows for port forwarding, which allows network
    traffic to be routed over it. Connect via SSH to one of the machines
    in your university, configure SSH port forwarding, and with a little
    work all web traffic will go over the ssh tunnel to your university
    and appear to come from your university instead of your home.

    It's a little deep to try and explain off the top of my head, there
    are a lot of tutorials on the web that'll explain it better than I
    can.

    In my case I often use it when I'm in France because my library and my
    doctor both require a uk 'user'. So, on my laptop in France I simply
    do:-

    ssh -C2qTnN -D 8080 <somewhere where I have an ssh login in the UK>

    Then in firefox Network Settings simply tell it to use port 8080 as
    the proxy address, job done!

    --
    Chris Green


    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Axel Berger@3:770/3 to Kurt Weiske on Tue Dec 29 22:42:04 2020
    Kurt Weiske wrote:
    Connect via SSH to one of the machines
    in your university, configure SSH port forwarding, and with a little
    work all web traffic will go over the ssh tunnel to your university
    and appear to come from your university instead of your home.

    Not for me then. Our university offers a VPN for all students but I have
    no access to any of its actual computers.


    --
    /痋 No | Dipl.-Ing. F. Axel Berger Tel: +49/ 221/ 7771 8067
    \ / HTML | Roald-Amundsen-Stra遝 2a Fax: +49/ 221/ 7771 8069
    燲 in | D-50829 K鰈n-Ossendorf http://berger-odenthal.de
    / \ Mail | -- No unannounced, large, binary attachments, please! --

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)