Computer Nerd Kev <not@telling.you.invalid> wrote:

Chris Green <cl@isbd.net> wrote:

Theo <theom+news@chiark.greenend.org.uk> wrote:

Chris Green <cl@isbd.net> wrote:

OK, my current WiFi set up is (as a mobile connection would be) behind >> > a NAT router and I set up reverse ssh tunnels to allow me to connect
'on demand' to the Pi (BBB). So I can do exactly the same using the
mobile data connection.

Will the mobile provider object to the connection being up all the
time but with virtually no data going through it?

Mobile networks are often quite aggressive at killing idle connections
through their CG-NAT - 30 seconds idle is common, for example. To avoid >> that you have to send keepalives, which will gradually consume your data >> allowance.

But a keepalive is only a character (or two), even if it sends a TCP
packet as a result that's 1500 bytes. Say 600 keepalives per Mb,
that's only a few Mb per day which shouldn't cost too much.

This depends on the provider. I've been using mobile broadband for
my home internet for years, from various providers. At least one
rounded up the data used over certain connection periods for
charging purposes. Maybe you'll avoid that if the connection never
does go dead, but on the other hand it might trigger regular
round-ups to 1MB just because an open connection gets rounded up
to 1MB every so often by their system.

This is a "try it and see" sort of thing, terms of service
documents can be long and detailed, but often don't actually match
the reality of how their system works. Some providers round up by
KB instead of MB, by the way.

This is based on experience with mobile broadband providers in
Australia only.

Yes, absolutely, trying to find the *actual* way they charge is very
often well nigh impossible and they usually don't know themselves (or
at least the people you talk to don't know).

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Computer Nerd Kev <not@telling.you.invalid> wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 27/12/2020 14:12, David Higton wrote:

If you have no idea of its IP address, then it gets somewhat harder.

By definition on a mobile network its behind a HUGE NAT proxy. Unless
you are supremely lucky and you het an IPV6 address

Yes that's the case for any "normal" account. In Australia there
is/was at least one reseller offering mobile broadband accounts
with a fixed IPv4 address, on either the Telstra or Optus networks.
You paid for it of course, but it wasn't big $$$.

Odds are that the OP isn't in Australia, so I won't bother trying to
dig up the link. But I'm guessing that there would be similar
options in their country if they looked hard enough. Mobile
broadband is now used quite a bit in industry for this sort of
thing.

OP here - I'm in the UK but the system this is for will be in France.
So digging out specialist providers and such is one level more
difficult than doing it 'at home'.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sun, 27 Dec 2020 21:34:33 +0000
Chris Green <cl@isbd.net> wrote:

Joe <joe@jretrading.com> wrote:

On Sun, 27 Dec 2020 20:28:52 +0000
Chris Green <cl@isbd.net> wrote:

Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:

You have also a need to provide routing from the internal
network to the OpenVPN daemon for the subnet (or host) to
tunnel via the VPN.

Ay? I'm not at all sure what you mean by this.

I think what he means is that using a VPN from a single computer
doesn't need any routing changes, but if you want one computer to
handle VPN for other local computers, and the VPN machine is not the network's default gateway, then you need to tell the other computers
that the VPN computer is the gateway to the distant network. The
simplest way is with a DCHP configuration. I recall using a Win2000 workstation as a VPN server for a remote office and needing to do
this.

Hmm!! I don't see how that makes sense. 'Using VPN from a single
computer' when the 'single computer' is on a LAN - but then it all
goes to pot doesn't it? Either the computer is on one's LAN or it's
in a VPN with the remote but it can't really do both can it?

Yes, it can. A VPN client behaves as a computer with two (or more)
network interfaces. A single workstation client will by default route
its outgoing packets to its VPN client software for transmission down
the tunnel (obviously except the VPN protocol packets themselves,
which are routed as normal through the computer's hardware network
interface), but the hardware interface can still accept packets from
other local computers, and may be configured to also route some or all
of them into the VPN. It's also obvious why the network address for
local LAN and remote network must be different, having the same network
address on two interfaces of the same computer never works well.

Three VPN scenarios:

1) Default gateway router is a VPN client to a remote network. All
outgoing packets (except the VPN protocol itself) go through the VPN.
All computers using the router automatically use the VPN with no change
in routing necessary.

2) Single workstation is the VPN client. All its packets route through
the VPN. No routing change required. All other computers in the local
LAN unaffected.

3) Computer within the LAN (i.e. not the default gateway) is the VPN
client to the remote network. Other local computers which wish to use
the VPN must treat the VPN client as the gateway to the remote
network(s), so a routing change in the client is required, as well as
enabling IP forwarding in the VPN computer and possibly adjusting its
firewall.

The first and last are 'site-to-site' VPNs, handling multiple clients.
Best done by scenario 1), but can be done by 3) if the gateway cannot
be a client of the VPN type required. Most modern routers can be client
or server to some VPN types e.g. IPSec and PPTP, but not usually
OpenVPN.

Note that many types of VPN (e.g. IPSec and PPTP) can only support one
tunnel between a given pair of IP addresses. OpenVPN can use any port,
so multiple tunnels are allowed, but IPSec and PPTP both use a TCP
control channel and another IP protocol which does not have the concept
of ports. So two or more workstations within the same (NATed) LAN must
use site-to-site to reach the same remote network if using one of these
VPN types.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 27/12/2020 20:28, Chris Green wrote:

Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:

On 27.12.20 20.04, Chris Green wrote:
If your OpenVPN machine is not the same as the incoming firewall/router,
you do need port forward from the outside to the OpenVPN machine. The
usual port is UDP/1194.

You have also a need to provide routing from the internal network
to the OpenVPN daemon for the subnet (or host) to tunnel via the VPN.

Ay? I'm not at all sure what you mean by this.

Here's your network

a) Router
b) OpenVPN server
c) Other local machine(s)

and

d) Remote machine

You need to set up your router so it forwards port UDP/1194 to the IP
address of OpenVPN server (b), as the OpenVPN client on (d) will connect
to the external (WAN) address of (a), and this traffic is handled by (b).

The OpenVPN server on (b) will assign a private subnet for the remote
devices which is different to your local network subnet. When OpenVPN
server is running on the router it will use DHCP to tell the other local machines (c) to route this subnet through it. But if you are using a
separate OpenVPN server (b), you either need to manually add a route to
its DHCP table, or set up the routing on each the other machines (c) so
the remote subnet is routed via (b), rather than defaulting to the router.

That all seemed a lot easier to explain before I started writing this post!

---druck

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 28/12/2020 11:07, Joe wrote:

The first and last are 'site-to-site' VPNs, handling multiple clients.
Best done by scenario 1), but can be done by 3) if the gateway cannot
be a client of the VPN type required. Most modern routers can be client
or server to some VPN types e.g. IPSec and PPTP, but not usually
OpenVPN.

Asus router support OpenVPN client and server out of the box. Any router supported by OpenWrt is also OK.

---druck

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Chris Green wrote:

OP here - I'm in the UK but the system this is for will be in France.
So digging out specialist providers and such is one level more
difficult than doing it 'at home'.

I have my parents in another country and they use linux PC. I and they have dynamic IP.

I have setup DDNS with no-ip.org at home and have a physical PC (industrial Geode from 2007) that I use as firewall and VPN (with OpenVPN). On the
modem I configured forwarding of all traffic to the FW. On my parents PC I
have a script that checks a URL on my home apache server (vie the DDNS)
that simply replies with YES or NO. If YES it starts the OpenVPN on the
remote (my parents) PC and connects to my FW if NO it stops the VPN on the remote PC. Then when connected, I use the VPN IP to connect to their PC in
the VPN network.

Same can be achieved with mobile network - there are hubs with SIM cards to provide internet in regions where there is no fast internet connection, or simply to carry with you and use anywhere. The process would be the same because what matters is the DDNS and your VPN. As soon the client connects
to the server you can access the client over the VPN IP. As it was stated
you have to "push" the routes from/to your local network.

So you say you are located in the UK and have a local network with, let's
say, 192.168.1.0/24. Your VPN has 10.1.1.0/24. The OpenVPN will push a
route to the client in France to the gateway in 192.168.1.0 and route the traffic from 10.1.1.0 to 192.168.1.0. This way you can access anything on 10.1.1.0 from 192.168.1.0.

I got tired following the whole thread ... the described setup is a common practice and I do not understand why so many posts. Forgive me if I
repeated or misunderstood something.

I do not know what was mentioned regarding OpenVPN setup, but it took me a while to understand how it works. I choose certificate based
authentication. So I had to create and deploy certificates for and to the clients I use. This way the client can connect without providing password.

Another use of this is when I travel - from the companies Windows Notebook
or my linux notebook I can connect on demand to the VPN at home. This setup
is more than 10y old - I'm not sure but I think I did it in 2008 or 2009 - never failed - except be careful when you update the system of course :)

regards

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

druck <news@druck.org.uk> wrote:

On 28/12/2020 11:07, Joe wrote:

The first and last are 'site-to-site' VPNs, handling multiple clients.
Best done by scenario 1), but can be done by 3) if the gateway cannot
be a client of the VPN type required. Most modern routers can be client
or server to some VPN types e.g. IPSec and PPTP, but not usually
OpenVPN.

Asus router support OpenVPN client and server out of the box. Any router supported by OpenWrt is also OK.

If a router 'supports VPN' what does that actually mean?

Presumably it doesn't mean that the router runs as a VPN server, or
does it?

If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful? ... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?


--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Mon, 28 Dec 2020 12:46:56 +0000
Chris Green <cl@isbd.net> wrote:

druck <news@druck.org.uk> wrote:

Asus router support OpenVPN client and server out of the box. Any
router supported by OpenWrt is also OK.

If a router 'supports VPN' what does that actually mean?

There are many varieties of VPN using different protocols OpenVPN
is just one of them (other common ones are IPSec and PPTP), many consider
it the best of them.

Presumably it doesn't mean that the router runs as a VPN server, or
does it?

It might depending on what support is on the router - nearly all routers will act as PPTP client not so many as anything else. As mentioned above Asus and routers running OpenWrt support OpenVPN both as client and server.

If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful? ... and what

I could be wrong but I'm pretty sure the Draytek routers only
support being a PPTP client so that they can connect you to a corporate
VPN. To be certain you'd have to look in the Draytek documentation.

--
Steve O'Hara-Smith | Directable Mirror Arrays C:\>WIN | A better way to focus the sun
The computer obeys and wins. | licences available see
You lose and Bill collects. | http://www.sohara.org/

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

The Natural Philosopher wrote to Joe <=-

It's a common requirement, and the magic codeword is 'M2M' (machine to machine). You'll probably need to go to a specialist SIM provider, the average high-street phone shop salesman won't have a clue what you're talking about.

That I did NOT know. That simplifies everything

We have a handful of T-Mobile 4G hotspots, and that service is
$5/month, if memory serves. It's a great deal for what possibilities
it opens up.



... Are there sections? Consider transitions
--- MultiMail/XT v0.52
* Origin: http://realitycheckbbs.org | tomorrow's retro tech (1:218/700)

Martin Gregorie wrote to Chris Green <=-

IOW it does about the same job as the wifi link on a Pi 3, 4 or Zero W except that it preferentially connects to a 3G or 4G base station
rather than to the nearest wifi router.

Getting the carrier to provision them properly may be tough. I have a
Thinkpad laptop with a SIM slot for a Gobi card, but if I slot in a
working GSM sim, it doesn't work. Don't know if they're locked to a
specific carrier or need to be provisioned differently to work.

kurt weiske | kweiske at realitycheckbbs dot org
| http://realitycheckbbs.org
| 1:218/700@fidonet




--- MultiMail/XT v0.52
* Origin: http://realitycheckbbs.org | tomorrow's retro tech (1:218/700)

Chris Green <cl@isbd.net> wrote:

OP here - I'm in the UK but the system this is for will be in France.
So digging out specialist providers and such is one level more
difficult than doing it 'at home'.

Just a thought, but have you considered using SMS to ask the remote end to initiate the connection?

You send a text saying 'wake up now', the boat receives it, 'dials' a 3G/LTE connection and connects to your VPN (or SSH tunnel). Now you can access it. After a while of inactivity it drops the connection and goes back to sleep.

If the duty cycle is low (eg you connect for 5 minutes a week) it could work out cheaper than having an always-on VPN connection that's consuming traffic
in keepalives.

That also means you can use any SIM you like, so pick whatever tariff suits you.

Typically, dongles provide multiple USB-UART channels - one for the PPP data connection, another for signal stats and SMS, maybe a third for something
else (GPS?). I don't know the best framework for handling the SMS side, but
at the least something polling it with AT commands would do.

Theo

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Mon, 28 Dec 2020 08:37:00 +1300, Kurt Weiske wrote:

Getting the carrier to provision them properly may be tough. I have a
Thinkpad laptop with a SIM slot for a Gobi card, but if I slot in a
working GSM sim, it doesn't work. Don't know if they're locked to a
specific carrier or need to be provisioned differently to work.

Fair comment. The only GSM dongle I've tried or needed to try, back in
2004, came with a Vodafone sim. However, it turned out that I was in a
not-spot where the dongle would connect, but couldn't transfer data.

Fortunately, I was able to send it back and get a refund.

BTW, the program I used to access the dongle on an old Lenovo running Red
Hat Linux 7.1 (that dates it!), gcom, was a command-line utility that
executed a user-modifiable script to connect to the network and manage
data transfers. I don't know if its still around or needed, but the documentation was excellent and all in its manpage.


--
--
Martin | martin at
Gregorie | gregorie dot org

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Kurt Weiske wrote:

We have a handful of T-Mobile 4G hotspots, and that service is
$5/month, if memory serves.

That actually sounds reasonable. Whenever I come across a non-free
hotspot around here it's something like 5$ per hour. I'm never sure
whether it's me losing his mind and going off the rocker or they are.


--
/�\ No | Dipl.-Ing. F. Axel Berger Tel: +49/ 221/ 7771 8067
\ / HTML | Roald-Amundsen-Stra�e 2a Fax: +49/ 221/ 7771 8069
�X in | D-50829 K�ln-Ossendorf http://berger-odenthal.de
/ \ Mail | -- No unannounced, large, binary attachments, please! --

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Mon, 28 Dec 2020 12:46:56 +0000
Chris Green <cl@isbd.net> wrote:

druck <news@druck.org.uk> wrote:

On 28/12/2020 11:07, Joe wrote:

The first and last are 'site-to-site' VPNs, handling multiple
clients. Best done by scenario 1), but can be done by 3) if the
gateway cannot be a client of the VPN type required. Most modern
routers can be client or server to some VPN types e.g. IPSec and
PPTP, but not usually OpenVPN.

Asus router support OpenVPN client and server out of the box. Any
router supported by OpenWrt is also OK.

If a router 'supports VPN' what does that actually mean?

There are two levels: first is to pass the VPN protocol at all, in
either direction. This isn't relevant to OpenVPN, but some other types
of VPN use two channels like FTP. Like FTP, they require a conntrack
module in the stateful firewall to associate the two channels, to allow
one to pass when only the other has been seen by the firewall. I've
seen routers that supposedly have 'PPTP passthrough' which do not, in
fact, do it correctly. VPNs are an afterthought to router
manufacturers. Draytek was always notable for having better VPN
implementations than most other makes at a comparable price.

Secondly there is actual VPN client or server support, often described
as 'VPN endpoint'.

Presumably it doesn't mean that the router runs as a VPN server, or
does it?

At the second level, yes.

If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful?

It depends on the type of VPN. Some like OpenVPN are normally secured
by certificates, some just by password. They will often need a key at
both ends for use in the symmetrical encryption. Asymmetrical encryption
can be provided by the certificate, but that is generally too slow to
have a decent performance.

... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?

If the router is the endpoint, then all the LAN is potentially
available to the client. If the router has a decent firewall user
interface, then access can be tailored so that only certain LAN
computers are visible. Ideally the router should connect to the LAN via
a separate firewall computer running iptables or nftables, which allow
very fine-grained control in forwarding. Of course, the LAN computer
firewalls can also permit packets on only certain ports when arriving
from the router.

... and how do I connect a remote system to the VPN?

Give the VPN client the public IP address or hostname, and tell it to
connect. Network Manager works fairly well these days, and has plugins
for some VPNs. Obviously arrange for the client to have any keys or certificates it requires. It is wise to have human intervention required
e.g. to have a private key encrypted with a good passphrase which is not entrusted to the VPN client, so if the key becomes compromised it can
be cancelled and replaced without much risk of intrusion. I keep
OpenVPN, ssh and other keys on a USB stick in my wallet, so even if I
lose a laptop, my home network is still safe, and if I lose the wallet,
the encryption passphrase isn't stored on the stick.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Re: Re: Simplest 3G/4G connection for Pi, must work headless and stand-alo
By: Chris Green to druck on Mon Dec 28 2020 12:46 pm

If a router 'supports VPN' what does that actually mean?

Presumably it doesn't mean that the router runs as a VPN server, or
does it?

If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful? ... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?

VPN capable routers are used mainly for enterprise /small businesses.

The idea is that you have an office in Berlin with LAN A, and an office in Washington with LAN B. You configure your routers to establish a virtual private network between them so both LANS are merged (sort of).

ie:

LAN A has subnet 192.168.10.0/

LAN B has 192.168.20.0/

The router generated VPN makes it so a computer in LAN A can use a network printer with ip 192.168.20.5 in LAN B, access a file server which is not allowed traffic to the open internet at 192.168.20.11 (LAN B) etc as if both networks where directlñy connected, instead of separated by the whole Internet. In fact the connection between the two networks is encrypted and thus deemed private.

This is the most common scenario that you find documented for VPN enabled routers, followed by the road-warrior setup (you use VPN in order to allow a laptop using an insecure LAN connect to your office in Berlin and access resources in LAN A as if the laptop was in Berlin's office).

--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.11-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (1:123/115)

Joe <joe@jretrading.com> wrote:

If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful?

It depends on the type of VPN. Some like OpenVPN are normally secured
by certificates, some just by password. They will often need a key at
both ends for use in the symmetrical encryption. Asymmetrical encryption
can be provided by the certificate, but that is generally too slow to
have a decent performance.

I guess that's part of my issue with all this. I don't need speed,
all I need is something fast enough to handle interactive terminal
usage. Neither do I need security, the remote system has no personal information on it at all, the only data to be stolen is temperatures,
voltages and other measurements on my boat.

All I need is a reliable piece of wet string between me and the SBC on
the boat. :-)

... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?

If the router is the endpoint, then all the LAN is potentially
available to the client. If the router has a decent firewall user
interface, then access can be tailored so that only certain LAN
computers are visible. Ideally the router should connect to the LAN via
a separate firewall computer running iptables or nftables, which allow
very fine-grained control in forwarding. Of course, the LAN computer firewalls can also permit packets on only certain ports when arriving
from the router.

I don't need or want any of that, the remote machine doesn't need to
be able to see my home LAN at all, it's the other direction I need.

... and how do I connect a remote system to the VPN?

Give the VPN client the public IP address or hostname, and tell it to connect. Network Manager works fairly well these days, and has plugins
for some VPNs.

It's a headless system so command line only and I want it to be able
to boot up into a connected state without any local interaction.

Obviously arrange for the client to have any keys or certificates it requires. It is wise to have human intervention required
e.g. to have a private key encrypted with a good passphrase which is not entrusted to the VPN client, so if the key becomes compromised it can
be cancelled and replaced without much risk of intrusion. I keep
OpenVPN, ssh and other keys on a USB stick in my wallet, so even if I
lose a laptop, my home network is still safe, and if I lose the wallet,
the encryption passphrase isn't stored on the stick.

Yes, VPNs aren't really designed for what I want to do are they!

It's possible to use a VPN to get to what I want but it's hardly the obvious/ideal way to do it.

I think in reality my existing setup (behind a WiFi NAT firewall)
using ssh tunnels is much closer to what I need than a VPN. It'll
work just as well behind a 3G/4G router that's NAT'ted.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Richard Falken <nospam.Richard.Falken@f1.n770.z6212.fidonet.org> wrote:

Re: Re: Simplest 3G/4G connection for Pi, must work headless and stand-alo
By: Chris Green to druck on Mon Dec 28 2020 12:46 pm

If a router 'supports VPN' what does that actually mean?

Presumably it doesn't mean that the router runs as a VPN server, or
does it?

If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful? ... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?

VPN capable routers are used mainly for enterprise /small businesses.

The idea is that you have an office in Berlin with LAN A, and an office in Washington with LAN B. You configure your routers to establish a virtual private network between them so both LANS are merged (sort of).

ie:

LAN A has subnet 192.168.10.0/

LAN B has 192.168.20.0/

The router generated VPN makes it so a computer in LAN A can use a network printer with ip 192.168.20.5 in LAN B, access a file server which is not allowed traffic to the open internet at 192.168.20.11 (LAN B) etc as if both networks where directl??y connected, instead of separated by the whole Internet. In fact the connection between the two networks is encrypted and thus
deemed private.

This is the most common scenario that you find documented for VPN enabled routers, followed by the road-warrior setup (you use VPN in order to allow a laptop using an insecure LAN connect to your office in Berlin and access resources in LAN A as if the laptop was in Berlin's office).

Thanks for that beautifully clear explanation, it's this sort of thing
that is *far* from obvious when you look at how tos for VPNs.

I guess it's the 'road-warrior setup' is nearest to what I want to do
though in reality the 'insecure LAN' involved is just one computer.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Chris Green <cl@isbd.net> wrote:

Neither do I need security, the remote system has no personal
information on it at all, the only data to be stolen is temperatures, voltages and other measurements on my boat.

You do need security, to prevent it from being taken over by a
botnet/hacker and getting you banned from the network. Also if you have a
vpn connection, it's effectively on your home lan.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

A. Dumas <alexandre@dumas.fr.invalid> wrote:

Chris Green <cl@isbd.net> wrote:

Neither do I need security, the remote system has no personal
information on it at all, the only data to be stolen is temperatures, voltages and other measurements on my boat.

You do need security, to prevent it from being taken over by a
botnet/hacker and getting you banned from the network.

To prevent what "from being taken over by a botnet/hacker"? If they
break into my boat and have access to the computer there then there's absolutely nothing that using a VPN will prevent. As I've said it has
to be capable of restarting with the connection in place without my interaction. A VPN doesn't help in the slightest as far as I can see.

Also if you have a
vpn connection, it's effectively on your home lan.

Exactly the problem, I don't need this at all. I want communication
in the other direction only.

Getting back to my original requirement:-

I want to communicate *from* my home system to a headless SBC.

The headless SBC (Pi or whatever) can connect to the internet but
it's almost certainly going to be behind a NAT/firewall of some
sort.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Richard Falken <nospam.Richard.Falken@f1.n770.z6212.fidonet.org> wrote:

The idea is that you have an office in Berlin with LAN A, and an office in Washington with LAN B. You configure your routers to establish a virtual private network between them so both LANS are merged (sort of).

ie:
LAN A has subnet 192.168.10.0/
LAN B has 192.168.20.0/

Yes, and this is a nice gotcha if you want to connect two networks behind
the same type of modem/from one isp; they are bound to use the same subnet, just their default settings; so the vpn connection won't work. I had this
once on different modems/isp's; apparently 192.168.178.0 is a popular
choice. Solution is to give one of them a different subnet.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 28/12/2020 16:53, Theo wrote:

Chris Green <cl@isbd.net> wrote:

OP here - I'm in the UK but the system this is for will be in France.
So digging out specialist providers and such is one level more
difficult than doing it 'at home'.

Just a thought, but have you considered using SMS to ask the remote end to initiate the connection?

How does a Pi receive SMS?

How does a phone receive SMS if it isn't 'always on'

I don't know the best framework for handling the SMS side, but
at the least something polling it with AT commands would do.

because its always on?



--
“when things get difficult you just have to lie”

― Jean Claud Jüncker

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On a sunny day (Tue, 29 Dec 2020 09:59:11 +0000) it happened Chris Green <cl@isbd.net> wrote in <f8brbh-qhf2.ln1@esprimo.zbmc.eu>:

I guess that's part of my issue with all this. I don't need speed,
all I need is something fast enough to handle interactive terminal
usage. Neither do I need security, the remote system has no personal >information on it at all, the only data to be stolen is temperatures, >voltages and other measurements on my boat.

All I need is a reliable piece of wet string between me and the SBC on
the boat. :-)

Depends on your programing skills
I wrote
smsio.c
http://panteltje.com/panteltje/newsflex/download.html#smsio
it receives SMS with a Huawei 3G/4G modem and then executes a script (that you will need to write to do things).
In that script (up to you) you should parse for YOUR phone number and some commands (like "knock out pirates" or "stop motor").

The other way around, from boat to your phone via SMS, I wrote the script 'ssms'
it is part of xgpspc:
http://panteltje.com/panteltje/xgpspc/index.html
scroll down to
Anchor drift and water in boat alarm with SMS and PMR radio alert

Very basically it works like this, raspi measures things like GPS location, water level in bilge, some other things, compares it to some setpoints,
and sends SMS to your phone every 15 minutes if an error condition persists.
It can notify over radio too if needed.

You can repy to that SMS from your phone with an other SMS with some predefined commands as shown above.

But anyways ssms (send SMS part of xgpspc) is like this:
#!/bin/bash

# ssms
# sends SMS message to a Huawei G3 USB stick, stick must be in data mode with usb_modeswitch

let error=0

if [ "$1" == "" ]
then
let error=1
fi

if [ "$2" == "" ]
then
let error=1
fi

if [ "$3" == "" ]
then
let error=1
fi

if [ "$4" == "" ]
then
let error=1
fi

if [ $error == "1" ]
then
echo "Usage:"
echo "ssms PIN phone_number device_name message"

echo "Example:"
echo "ssms 1234 31612345678 /dev/ttyUSB4 \"hello there\""

echo " WARNING ssms WILL NOT WARN IF WRONG PIN IS ENTERED!!!!"
exit 1
fi

# For now we ignore any response from the USB modem
# so if it does not work you don't know why.

# send PIN
echo -en "AT+CPIN=\"$1\"\r" > $3
sleep 1

# request text mode
echo -en "AT+CMGF=1\r" >> $3 sleep 1

# send phone number
echo -en "AT+CMGS=\"+$2\"\r" >> $3
sleep 1

# send SMS message 0, terminated with ctrl Z
echo -en "$4\x1a\r" >> $3

echo "ready SMS send"

exit 0



This then runs on your boat with whatever data you want to send,

When nothing out of the ordinary happens no SMS is sent.

Not sure this helps, is more for programmers....

Some pseudo code:

while true
do
measure water_level
if( water_level >= up to chin)
ssms PIN YOUR_PHONENUMBER /dev/ttyUSB1 \"blub blub blub\"
sleep 10*60
done

while true
do
measure GPS_position
if(distance GPS_position - anchor_GPS_position >= 20 meter)
ssms PIN YOUR_PHONENUMBER /dev/ttyUSB1 \"adrift at $GPS_position\"
sleep 10*60
done

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Am 29.12.2020 um 11:28 schrieb A. Dumas:

... apparently 192.168.178.0 is a popular choice ...

Yes, it is the standard default on AVM Fritzbox, the de-facto standard
internet modem+router in Germany.

Stumbled once over this when trying out VPNs between my network and my parents...

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 27/12/2020 19:34, Kurt Weiske wrote:

The Natural Philosopher wrote to Joe <=-

> It's a common requirement, and the magic codeword is 'M2M' (machine to
> machine). You'll probably need to go to a specialist SIM provider, the
> average high-street phone shop salesman won't have a clue what you're
> talking about.

TNP> That I did NOT know. That simplifies everything

We have a handful of T-Mobile 4G hotspots, and that service is
$5/month, if memory serves. It's a great deal for what possibilities
it opens up.

Indeed it is,

I wouldnt mkind having e.g. a streaming wildlife camera down te garden,
out of wifi range



--
There is something fascinating about science. One gets such wholesale
returns of conjecture out of such a trifling investment of fact.

Mark Twain

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Re: Re: Simplest 3G/4G connection for Pi, must work headless and stand-alo
By: Chris Green to Richard Falken on Tue Dec 29 2020 09:43 am

I just had a crazy idea.

Why don't you set a Tor or I2P hidden service for the service running on your boat?

You can set an i2p node in your Raspberry, and it will work even if the mobile connection the raspberry uses is behind Carrier Grade NAT or whatever have you.

Your i2p node can get an i2p address assigned. Then you can access it using an i2p client from anywhere in the world.

Advantage: easy to deploy.
Disadvantage: You need to install i2p in any machine you want to access the raspberry from.
Disadvantage 2: It has a bandwidth overhead, so it may damage your bills if they charge you for data volumes.
Disadvantage 3: Lag is going to be bad, specially is your mobile signal is bad quality. If the mobile signal is reeeeally bad then this approach becomes unusable in practice.
--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.11-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (1:123/115)

Op 29-12-2020 om 11:46 schreef Chris Green:

A. Dumas <alexandre@dumas.fr.invalid> wrote:

Chris Green <cl@isbd.net> wrote:

Neither do I need security, the remote system has no personal
information on it at all, the only data to be stolen is temperatures,
voltages and other measurements on my boat.

You do need security, to prevent it from being taken over by a
botnet/hacker and getting you banned from the network.

To prevent what "from being taken over by a botnet/hacker"? If they
break into my boat and have access to the computer there then there's absolutely nothing that using a VPN will prevent.

To prevent the Raspberry Pi (or Beagle Bone or whatever) from being
taken over. It isn't about protecting your humidity sensor readings,
it's to prevent it becoming part of a botnet used for sending spam or
DDOS attacks. Admittedly a very low chance, they mainly target always-on
office Windows PC's, but still worth considering, I think, to prevent it
being cut off by the network owner. And, you know, to be a decent netizen.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 29-12-2020 13:37, Axel Berger wrote:

Richard Falken wrote:

followed by the road-warrior setup

There is a third common useage, the one I use frequently:
I VPN to the universtity library and go to a publisher's website. The publisher sees my university IP-address and recognizes me as authorized
to access his content.

It is this that allows me to work from home.

This is ~exactly how the general public now knows "vpn": to pretend to
be from a different country and circumvent geoblocks on content.
Unfortunately, but perhaps inherently, these are often dodgy services.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Richard Falken wrote:

followed by the road-warrior setup

There is a third common useage, the one I use frequently:
I VPN to the universtity library and go to a publisher's website. The
publisher sees my university IP-address and recognizes me as authorized
to access his content.

It is this that allows me to work from home.


--
/�\ No | Dipl.-Ing. F. Axel Berger Tel: +49/ 221/ 7771 8067
\ / HTML | Roald-Amundsen-Stra�e 2a Fax: +49/ 221/ 7771 8069
�X in | D-50829 K�ln-Ossendorf http://berger-odenthal.de
/ \ Mail | -- No unannounced, large, binary attachments, please! --

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Axel Berger <Spam@berger-odenthal.de> wrote:

Richard Falken wrote:

followed by the road-warrior setup

There is a third common useage, the one I use frequently:
I VPN to the universtity library and go to a publisher's website. The publisher sees my university IP-address and recognizes me as authorized
to access his content.

I do that by using a simple proxy setup, one-liner ssh command,
configure Firefox to use the proxy and it's done.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 29/12/2020 13:06, A. Dumas wrote:

On 29-12-2020 13:37, Axel Berger wrote:

Richard Falken wrote:

followed by the road-warrior setup

There is a third common useage, the one I use frequently:
I VPN to the universtity library and go to a publisher's website. The
publisher sees my university IP-address and recognizes me as authorized
to access his content.

It is this that allows me to work from home.

This is ~exactly how the general public now knows "vpn": to pretend to
be from a different country and circumvent geoblocks on content. Unfortunately, but perhaps inherently, these are often dodgy services.

What the content providers? Yep the UK's BBC (boy buggering communists
as we call em )are distinctly dodgy ....and you need a VPN or some sort
of proxy to access them from overseas.


--
"In our post-modern world, climate science is not powerful because it is
true: it is true because it is powerful."

Lucas Bergkamp

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Mon, 28 Dec 2020 14:01:00 +0100, Deloptes <deloptes@gmail.com> wrote:

I do not know what was mentioned regarding OpenVPN setup, but it took me a while to understand how it works. I choose certificate based
authentication. So I had to create and deploy certificates for and to the clients I use. This way the client can connect without providing password.

Nowadays it's easy to set up a VPN server with
PiVPN <https://pivpn.io/>

It supports both WireGuard and OpenVPN. The installation
is "guided", so it's almost impossible to forget a step.

Warning: Wireguard is great, but often still breaks after
apt update/upgrade, so for now I prefer OpenVPN.

--
Regards,
Kees Nuyt

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Chris Green wrote:

I do that by using a simple proxy setup, one-liner ssh command,
configure Firefox to use the proxy and it's done.

It's me, there's a lot I don't know about networks, but I do not
understand that sentence at all, not one little bit.


--
/�\ No | Dipl.-Ing. F. Axel Berger Tel: +49/ 221/ 7771 8067
\ / HTML | Roald-Amundsen-Stra�e 2a Fax: +49/ 221/ 7771 8069
�X in | D-50829 K�ln-Ossendorf http://berger-odenthal.de
/ \ Mail | -- No unannounced, large, binary attachments, please! --

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 28/12/2020 12:46, Chris Green wrote:

If a router 'supports VPN' what does that actually mean?

Presumably it doesn't mean that the router runs as a VPN server, or
does it?

Yes, decent routers such as the ASUS range (I'm currently using a
RT-ac86u), have built in VPN clients (PPTP, L2TP and OpenVPN) and severs
(PPTP, OpenVPN and IPSec VPN).

If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful? ... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?

If your router supports a VPN server, everything on your LAN works as it
does now say on 192.168.1.x but there will be an extra subnet say
192.168.2.x on which any devices connected to the VPN will appear on.
For those external devices they will think they are part of the
192.168.1.x LAN.

When you create your VPN on the router, it will export a configuration
text file, which you use with your OpenVPN client. Depending on the
router this will either be usable as is (as my ASUS was) or need a
little editing (some clients need it split in to config, key and cert
files).

---druck

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 29 Dec 2020 10:28:14 GMT
A. Dumas <alexandre@dumas.fr.invalid> wrote:

Richard Falken <nospam.Richard.Falken@f1.n770.z6212.fidonet.org>
wrote:

The idea is that you have an office in Berlin with LAN A, and an
office in Washington with LAN B. You configure your routers to
establish a virtual private network between them so both LANS are
merged (sort of).

ie:
LAN A has subnet 192.168.10.0/
LAN B has 192.168.20.0/

Yes, and this is a nice gotcha if you want to connect two networks
behind the same type of modem/from one isp; they are bound to use the
same subnet, just their default settings; so the vpn connection won't
work. I had this once on different modems/isp's; apparently
192.168.178.0 is a popular choice. Solution is to give one of them a different subnet.

I've never seen that one, most default networks I've seen have been
192.168.0., 192.168.1. or 192.168.254. Occasionally 192.168.16.

But it should be a matter of course to change a new router's network to something fairly random, when you change the admin password. No, you (or
your mother) don't want to use a VPN now, but one day you might.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Kees Nuyt wrote to Deloptes <=-

Nowadays it's easy to set up a VPN server with
PiVPN <https://pivpn.io/>

Many appliance routers can run DD-WRT or OpenWRT, and it can act as a
OpenVPN client or server. I'm about to order a Pi, though, and PiVPN
looks like a nice tool to use instead - and to get familiar with the
Pi.

The one thing I've been trying to figure out is how to use OpenVPN to
route selected traffic through a local node but route the rest over
the internet. Netflix doesn't like VPNs, and I want to be able to get
local TV stations outside of my area with an app that limits
available channels to your local area. I'm hoping it's easier to set
up than with DD-WRT.

kurt weiske | kweiske at realitycheckbbs dot org
| http://realitycheckbbs.org
| 1:218/700@fidonet




... Discover your formulas and abandon them
--- MultiMail/XT v0.52
* Origin: http://realitycheckbbs.org | tomorrow's retro tech (1:218/700)

Axel Berger wrote to Chris Green <=-

Chris Green wrote:

I do that by using a simple proxy setup, one-liner ssh command,
configure Firefox to use the proxy and it's done.

It's me, there's a lot I don't know about networks, but I do not understand that sentence at all, not one little bit.

The SSH protocol allows for port forwarding, which allows network
traffic to be routed over it. Connect via SSH to one of the machines
in your university, configure SSH port forwarding, and with a little
work all web traffic will go over the ssh tunnel to your university
and appear to come from your university instead of your home.

It's a little deep to try and explain off the top of my head, there
are a lot of tutorials on the web that'll explain it better than I
can.

kurt weiske | kweiske at realitycheckbbs dot org
poindexter fortran | pfortran at realitycheckbbs dot org
| http://realitycheckbbs.org
| 1:218/700@fidonet






... Discover your formulas and abandon them
--- MultiMail/XT v0.52
* Origin: http://realitycheckbbs.org | tomorrow's retro tech (1:218/700)

Kurt Weiske <nospam.Kurt.Weiske@f1.n770.z16309.fidonet.org> wrote:

Kees Nuyt wrote to Deloptes <=-

Nowadays it's easy to set up a VPN server with
PiVPN <https://pivpn.io/>

Many appliance routers can run DD-WRT or OpenWRT, and it can act as a
OpenVPN client or server. I'm about to order a Pi, though, and PiVPN
looks like a nice tool to use instead - and to get familiar with the
Pi.

The one thing I've been trying to figure out is how to use OpenVPN to
route selected traffic through a local node but route the rest over
the internet. Netflix doesn't like VPNs, and I want to be able to get
local TV stations outside of my area with an app that limits
available channels to your local area. I'm hoping it's easier to set
up than with DD-WRT.

I think a proxy would be easier, if you have some sort of presence in
the required area of course.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Kurt Weiske <nospam.Kurt.Weiske@f1.n770.z16310.fidonet.org> wrote:

Axel Berger wrote to Chris Green <=-

Chris Green wrote:

I do that by using a simple proxy setup, one-liner ssh command,
configure Firefox to use the proxy and it's done.

It's me, there's a lot I don't know about networks, but I do not understand that sentence at all, not one little bit.

The SSH protocol allows for port forwarding, which allows network
traffic to be routed over it. Connect via SSH to one of the machines
in your university, configure SSH port forwarding, and with a little
work all web traffic will go over the ssh tunnel to your university
and appear to come from your university instead of your home.

It's a little deep to try and explain off the top of my head, there
are a lot of tutorials on the web that'll explain it better than I
can.

In my case I often use it when I'm in France because my library and my
doctor both require a uk 'user'. So, on my laptop in France I simply
do:-

ssh -C2qTnN -D 8080 <somewhere where I have an ssh login in the UK>

Then in firefox Network Settings simply tell it to use port 8080 as
the proxy address, job done!

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Kurt Weiske wrote:

Connect via SSH to one of the machines
in your university, configure SSH port forwarding, and with a little
work all web traffic will go over the ssh tunnel to your university
and appear to come from your university instead of your home.

Not for me then. Our university offers a VPN for all students but I have
no access to any of its actual computers.


--
/�\ No | Dipl.-Ing. F. Axel Berger Tel: +49/ 221/ 7771 8067
\ / HTML | Roald-Amundsen-Stra�e 2a Fax: +49/ 221/ 7771 8069
�X in | D-50829 K�ln-Ossendorf http://berger-odenthal.de
/ \ Mail | -- No unannounced, large, binary attachments, please! --

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)