However, for EC2 Linux instances you'll need to enable IP forwarding by disabling Source/Destination Check for the instance in addition to setting net.ipv4.ip_forward=1 for the VM.
Also EC2 uses layered security, so you may have OS level packet filter, then NACLs (if used - stateless), finally Security Groups (stateful).
I run a pfsense router for fun at my house and it has a really nice UI/wizard for OpenVPN. Even got it hooked up with AD login + certificates without much trouble.
Having a GUI can make playing with it really fun and easy. I spent yesterday toggling through all the different encryption methods to see how they effected mobile performance (turns out: it effects it a LOT. Don't encrypt stronger than necessary!)
Probably a silly question but what will I do with this?
I have a personal DO OpenVPN proxy setup because my country (Pakistan) censors internet, which I made following the DO guide [1]. I set it up a while ago, and it was mostly copying commands.
Will this allow me to use Tunnelblink and use my VPN as a proxy? Will it let me connect my machines to each other a VPN? What's the motivation for a setup like this.
Only traffic destined to the subnet in encryption domain go through the VPN connection (you can check IP routing table and identify that - interface should be tun0 or equivalent).
In case of OpenVPN remote access use case, you may have to route all traffic through the VPN connection (TunnelBlick has an option for you to tick, or you'll have to generate a new client config file), you also need proper NAT rules in place on the OpenVPN server.
To achieve what you want, blocked sites over VPN and unblocked via your ISP, extra effort may be needed, e.g. by poking around routing table and/or using dnsmasq.
I made a project like this as well, but with Ansible. I submitted a separate post for that but won't link it here out of courtesy. https://github.com/robbintt/popup-openvpn
The open VPN container is amazing. Definitely worth a look. If you commands and you'll get service plus an auto-login profile that is about as easy to use as possible.
It doesn't need to be CoreOS, it can be any docker host.
I've been using pivpn[0] for about a year now (first on a raspi, and now on ubuntu 16.04 server). Wraps all the basic commands like client cert gen and revocation. Many sensible defaults.
by only looking at the source (haven't installed it) I'm guessing this leaks ipv6 addresses and probably shouldn't be used. this is the second openvpn install script to match that description today.
In the past, I've had a habit of passing "ipv6.disable=1" (a.k.a. the "nuclear option") to the kernel on hosts I manage. I'm trying to get away from that, though, and lately, I've simply been dropping "everything IPv6" in my rulesets to avoid things like this.
Do anyone know about a good user friendly OpenVPN client for Windows? The official one requires a lot of fiddling with administrator permissions to work, which most non tech people have no chance to do successfully.
IKEv{1,2} + IPsec (tunnel mode) is recommended. strongSwan is probably the best free, open source IPsec solution out there (much better than libreswan...), very good documentation and examples etc, actively developed and maintained by a bunch of passionate guys that knows the stuff.
Our company (pre-IPO startup) has been using strongSwan for 2+ years as site-to-site solution from on-premises data centres to AWS VPC, proved to be rock solid as long as it's properly configured ;-) The only drawback is that strongSwan currently does not have a mature HA solution but it's shaping up (5.4.0 introduced IKEv2 redirect). Hopefully a proper HA solution will be built on top of that and later productized ;-)
BTW: I myself have been using strongSwan since 5.0.x for remote access, to protect privacy, fight censorship (yes, originally from China mainland where GFW is in place, etc...). The native strongSwan client for Android is a killer ;-)
My experience with openvpn is abysmal. It is slow, tunnels tcp-over-tcp the wrong way[0], tunnels udp-over-tcp the wrong way, and the connections were quite fargile.
Does anyone have alternatives to recommend? SoftEther looks like the bees knees from the website, but I haven't found trustworthy reviews from real users.
SSH Tunnel - Dynamic (port) Forwarding works, it can even be shared by IPs within the same network (ssh -g on clients / GatewayPorts yes on sshd) but it requires per application configuration (set as SOCKS5 proxy, Firefox requires extra configuration to use remote host to do dns lookups by setting -> network.proxy.socks_remote_dns yes).
In countries like China (and more) where massive state-sponsored Internet censorship is in place, the unusual SSH traffic pattern can be easily detected and IPs of the SSH server blocked in less than a hour. That's why IPsec (strongSwan) and OpenVPN start to become popular among Chinese netizens and skills have been developed (networking, security etc...) LoL
35 comments
[ 1.8 ms ] story [ 89.5 ms ] threadHowever, for EC2 Linux instances you'll need to enable IP forwarding by disabling Source/Destination Check for the instance in addition to setting net.ipv4.ip_forward=1 for the VM.
Also EC2 uses layered security, so you may have OS level packet filter, then NACLs (if used - stateless), finally Security Groups (stateful).
For example https://hub.docker.com/r/siomiz/softethervpn/ outputs the config file to stdout so you can just run it, get the config with docker logs and connect.
Having a GUI can make playing with it really fun and easy. I spent yesterday toggling through all the different encryption methods to see how they effected mobile performance (turns out: it effects it a LOT. Don't encrypt stronger than necessary!)
I have a personal DO OpenVPN proxy setup because my country (Pakistan) censors internet, which I made following the DO guide [1]. I set it up a while ago, and it was mostly copying commands.
Will this allow me to use Tunnelblink and use my VPN as a proxy? Will it let me connect my machines to each other a VPN? What's the motivation for a setup like this.
[1]: https://www.digitalocean.com/community/tutorials/how-to-set-...
In case of OpenVPN remote access use case, you may have to route all traffic through the VPN connection (TunnelBlick has an option for you to tick, or you'll have to generate a new client config file), you also need proper NAT rules in place on the OpenVPN server.
To achieve what you want, blocked sites over VPN and unblocked via your ISP, extra effort may be needed, e.g. by poking around routing table and/or using dnsmasq.
That said, this is a great write-up and I'm sure very helpful to those that need to set up a more custom/mission critical development.
It doesn't need to be CoreOS, it can be any docker host.
You can get an openvpn container on dply.co in 1-2 minutes, and you use it for free...
Why? Oh why?
But it's downloading stuff via HTTP, so certificate verification doesn't help that much.
https://daniel.haxx.se/docs/curl-vs-wget.html
Sigh.
[0] https://github.com/pivpn/pivpn
depending on your server environment you'll want to use ip6tables with essentially the same commands as iptables, substituting for ipv6 addresses.
0. https://community.openvpn.net/openvpn/wiki/IPv6
Thanks.
In the past, I've had a habit of passing "ipv6.disable=1" (a.k.a. the "nuclear option") to the kernel on hosts I manage. I'm trying to get away from that, though, and lately, I've simply been dropping "everything IPv6" in my rulesets to avoid things like this.
IKEv{1,2} + IPsec (tunnel mode) is recommended. strongSwan is probably the best free, open source IPsec solution out there (much better than libreswan...), very good documentation and examples etc, actively developed and maintained by a bunch of passionate guys that knows the stuff.
Our company (pre-IPO startup) has been using strongSwan for 2+ years as site-to-site solution from on-premises data centres to AWS VPC, proved to be rock solid as long as it's properly configured ;-) The only drawback is that strongSwan currently does not have a mature HA solution but it's shaping up (5.4.0 introduced IKEv2 redirect). Hopefully a proper HA solution will be built on top of that and later productized ;-)
BTW: I myself have been using strongSwan since 5.0.x for remote access, to protect privacy, fight censorship (yes, originally from China mainland where GFW is in place, etc...). The native strongSwan client for Android is a killer ;-)
HTH
Does anyone have alternatives to recommend? SoftEther looks like the bees knees from the website, but I haven't found trustworthy reviews from real users.
[0] http://sites.inka.de/bigred/devel/tcp-tcp.html
I use putty tunneling+proxifier (on windows) and a python script on my ubuntu box (The name is escaping me at the moment).
It's very simple to setup, doesn't require a ton of configuration, and can be just a secure as a VPN connection.
I've never been a fan of OpenVPN. Configuration is cumbersome and performance wasn't that great.
NOTE: some tips written down previously ;-) https://sites.google.com/site/imterry/computer/tools/ssh
In countries like China (and more) where massive state-sponsored Internet censorship is in place, the unusual SSH traffic pattern can be easily detected and IPs of the SSH server blocked in less than a hour. That's why IPsec (strongSwan) and OpenVPN start to become popular among Chinese netizens and skills have been developed (networking, security etc...) LoL