User avatar
MikeDB
Posts: 1364
Joined: Sun Oct 12, 2014 8:27 am

Running a personal VPN

Thu Oct 06, 2022 8:40 am

I want to place a small server at a friend's apartment in New York so I can have a private VPN back to the UK that nobody can detect is a VPN, as they eventually do with NordVPN etc. Totally non-computer literate person at that end so must be plug in to mains and Ethernet to the router and leave. Thinking of a Pi4 running OpenVPN but there seems to be lots of different and often conflicting opinions on YouTube et al on what is the best way to do this. Anybody done this and if so any gotchas when setting it up or running it long term ?

Thanks in advance
Always interested in innovative audio startups needing help and investment. Look for InPoSe Ltd or Future Horizons on LinkedIn to find me (same avatar photograph)

epoch1970
Posts: 8168
Joined: Thu May 05, 2016 9:33 am
Location: France

Re: Running a personal VPN

Thu Oct 06, 2022 9:26 am

Safe choice I think, don’t expect crazy performance.

The thing with openvpn is its usual reliance on certificates (system date has to be correct), which do expire. And when you’ve let them elapse, the door is closed and there is no way to update the remote endpoint through the tunnel. Happens to me *all the time*, so it could be me.
On the flip side, IP management for the endpoints can be almost non-existent since authentication uses certificates information.

Bridged mode is user-friendly, you can tell remote users to plug a cable on a designated port or connect to a designated AP, and they land on the network you manage on your side. In this mode you can also use a preshared key alone, if you too have problems with certificates management.

In either case I’m talking about permanent tunnels that are designed to be up all the time, and don’t require a password to start up. Everybody would detect there is a tunnel, there.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

itsmedoofer
Posts: 594
Joined: Wed Sep 25, 2013 8:43 am
Location: Canterbury, Kent, UK

Re: Running a personal VPN

Thu Oct 06, 2022 9:32 am

Hi,

I have PiVPN running on a Pi2, in theory you could do 99% of the configuration at your location and then send them the device to plug in, probably the only thing they would need to do is setup port forwarding on their router.

If not, I would suggest PiVPN is simple enough that you could talk them through on the phone...

https://pivpn.io

jbudd
Posts: 2078
Joined: Mon Dec 16, 2013 10:23 am

Re: Running a personal VPN

Thu Oct 06, 2022 11:26 am

I want to place a small server at a friend's apartment in New York so I can have a private VPN back to the UK that nobody can detect is a VPN
No idea if this suggestion meets the requirement of being undetectable. It's fairly simple to setup though.

Create a Zerotier account at zerotier.com.
Create your network id, choosing an IP range. I chose 192.168.192.xxx

Install Zerotier on any Raspberry Pies, PCs etc at each end and connect them to your network ID.
As each device first connects, authorise it on the Zerotier website.

Now you have a virtual network using the 192.168.192.xxx IP address range.
I use this to access my PiHole DNS server in England from South America.
I don't know if I could use it to get round region specific stuff like BBC iplayer, nor if GCHQ could tell it was there.

User avatar
thagrol
Posts: 8160
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK

Re: Running a personal VPN

Thu Oct 06, 2022 12:02 pm

It'll be easier if the remote Pi is a VPN client rather than VPN server. You won't have to configure your friend's router to allow incoming connections nor will you have to worry about finding their public IP address and things like CGNAT.

If your ISP doesn't give you a static public IP address you'll need to make use of a dynamic DNS service (e.g. https://www.duckdns.org/) too.

Then test, test, and test before you go to the expense of shipping anything.

And be aware that the network speeds will be limited by the upload bandwidth at the remote location. Which could be much less that their download bandwidth.

Lastly, once you have everything configured I strongly recommend enabling the read only overlay (via raspi-config) for the root partition and mounting the boot partition read only. Doing so will prevent damage to the SD card in the event of sudden power loss ot other unclean shutdowns. And provide some mitigation against tampering.
Knowledge, skills, & experience have value. If you expect to profit from someone's you should expect to pay for them.

All advice given is based on my experience. it worked for me, it may not work for you.
Need help? https://github.com/thagrol/Guides

User avatar
MikeDB
Posts: 1364
Joined: Sun Oct 12, 2014 8:27 am

Re: Running a personal VPN

Thu Oct 06, 2022 12:48 pm

thagrol wrote:
Thu Oct 06, 2022 12:02 pm
It'll be easier if the remote Pi is a VPN client rather than VPN server. You won't have to configure your friend's router to allow incoming connections nor will you have to worry about finding their public IP address and things like CGNAT.

If your ISP doesn't give you a static public IP address you'll need to make use of a dynamic DNS service (e.g. https://www.duckdns.org/) too.

Then test, test, and test before you go to the expense of shipping anything.

And be aware that the network speeds will be limited by the upload bandwidth at the remote location. Which could be much less that their download bandwidth.
She's got 45M down/15M up so no problem on bandwidth. But as a ballet dancer her technical limits are uploading an Instagram from an iPhone :-)

Running the client that end sounds interesting - I'll look into that thanks.
Always interested in innovative audio startups needing help and investment. Look for InPoSe Ltd or Future Horizons on LinkedIn to find me (same avatar photograph)

User avatar
DougieLawson
Posts: 42288
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK

Re: Running a personal VPN

Thu Oct 06, 2022 12:51 pm

You can run a VPN client over port 443. Then it looks no different to HTTPS stuff. It means the server can't do normal HTTPS stuff but you can work around that.
Languages using left-hand whitespace for syntax are ridiculous

DMs sent on https://twitter.com/DougieLawson or LinkedIn will be answered next month.
Fake doctors - are all on my foes list.

The use of crystal balls and mind reading is prohibited.

bls
Posts: 2699
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: Running a personal VPN

Thu Oct 06, 2022 1:38 pm

I've been running strongSwan for several years with great success. It works really well on the Pi, and can be used both as a client/server VPN (for instance, Phone connecting to the VPN server), and a site-to-site or host-to-host VPN.

I use it primarily to get back to my home network when I'm out and about (the former), but I have helped others set up site-to-site VPNs, including over Starlink. BTW, helping others was done completely remotely, so I know that it would work for the scenario you've described.

I did a writeup on the top 3 VPNs a while ago. Worth reading: viewtopic.php?p=2007865#p2007865

The tool I use, https://github.com/gitbls/pistrong lets you set the Certificate lifetimes, so expiring certs isn't typically a problem. I presume that ovpn has a similar capability but I've not looked at it.

The one big win that strongSwan has over ovpn and wg at the moment is Client support. strongSwan support is included in all major OS (macOS, iOS, Windows, Linux, Android), but I'm pretty sure that ovpn and wg support is not (except for Linux of course). If you're connecting from client OS-powered devices, this could be a consideration.

Performance is comparable between the 3, although wg is the fastest, and ovpn is the slowest. There's a link to some performance information in the writeup I linked to above.

The big drawback to strongSwan is that it's an IPSEC VPN and uses ports 500 and 4500. As Dougie mentioned some VPNs can run over port 443, which has advantages in some cases.

There are several nuanced, but not huge insurmountable, issues in setting up a VPN. I encourage you to read the pistrong github, which discusses many of them. While it's written in the context of strongSwan, issues such as DDNS, firewalls, etc are similar across the VPN technologies.
Pi tools:
Quickly and easily build customized exactly as-you-want SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure IPSEC/IKEV2 VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

ejolson
Posts: 10212
Joined: Tue Mar 18, 2014 11:47 am

Re: Running a personal VPN

Thu Oct 06, 2022 1:57 pm

bls wrote:
Thu Oct 06, 2022 1:38 pm
The one big win that strongSwan has over ovpn and wg at the moment is Client support. strongSwan support is included in all major OS (macOS, iOS, Windows, Linux, Android), but I'm pretty sure that ovpn and wg support is not (except for Linux of course).
According to the installation guide

https://www.wireguard.com/install/

Wireguard also works on macOS, iOS, Windows, Linux and Android.

Being undetectable gets into the realm of data exfiltration techniques used in the landscape of spy-versus-spy cyber operations. It’s arguable that nation states shouldn’t be doing this and in my opinion obvious that individuals should not.

bls
Posts: 2699
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: Running a personal VPN

Thu Oct 06, 2022 2:08 pm

ejolson wrote:
Thu Oct 06, 2022 1:57 pm
bls wrote:
Thu Oct 06, 2022 1:38 pm
The one big win that strongSwan has over ovpn and wg at the moment is Client support. strongSwan support is included in all major OS (macOS, iOS, Windows, Linux, Android), but I'm pretty sure that ovpn and wg support is not (except for Linux of course).
According to the installation guide

https://www.wireguard.com/install/

Wireguard also works on macOS, iOS, Windows, Linux and Android.

Being undetectable gets into the realm of data exfiltration techniques used in the landscape of spy-versus-spy cyber operations. It’s arguable that nation states shouldn’t be doing this and in my opinion obvious that individuals should not.
Yes, wg works on those platforms, but the support is not built into the OS as IPSEC (strongSwan) is. One needs to add additional software to use wg on these platforms.

I don't know about you, but I'm pretty conservative about mucking with network stacks on "closed" OS such as Windows, iOS, and macOS. My point was that you don't need to install ANY software on these systems for strongSwan, it's already built into the system, and it configures and works seamlessly.

Undoubtedly the drivers are fine, but definitely gives me pause when a product says "just install this driver". Apps are one thing, but drivers and network stack are something different. YMMV.
Pi tools:
Quickly and easily build customized exactly as-you-want SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure IPSEC/IKEV2 VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

ejolson
Posts: 10212
Joined: Tue Mar 18, 2014 11:47 am

Re: Running a personal VPN

Thu Oct 06, 2022 2:24 pm

bls wrote:
Thu Oct 06, 2022 2:08 pm
ejolson wrote:
Thu Oct 06, 2022 1:57 pm
bls wrote:
Thu Oct 06, 2022 1:38 pm
The one big win that strongSwan has over ovpn and wg at the moment is Client support. strongSwan support is included in all major OS (macOS, iOS, Windows, Linux, Android), but I'm pretty sure that ovpn and wg support is not (except for Linux of course).
According to the installation guide

https://www.wireguard.com/install/

Wireguard also works on macOS, iOS, Windows, Linux and Android.

Being undetectable gets into the realm of data exfiltration techniques used in the landscape of spy-versus-spy cyber operations. It’s arguable that nation states shouldn’t be doing this and in my opinion obvious that individuals should not.
Yes, wg works on those platforms, but the support is not built into the OS as IPSEC (strongSwan) is. One needs to add additional software to use wg on these platforms.

I don't know about you, but I'm pretty conservative about mucking with network stacks on "closed" OS such as Windows, iOS, and macOS. My point was that you don't need to install ANY software on these systems for strongSwan, it's already built into the system, and it configures and works seamlessly.

Undoubtedly the drivers are fine, but definitely gives me pause when a product says "just install this driver". Apps are one thing, but drivers and network stack are something different. YMMV.
I see your point. While additional software may be needed, WireGuard is notable for its simplicity; while built in, IPsec is notable for its complexity. Which offers better security is unknown; which is a better solution depends on the application.

I switched from IPsec to WireGuard soon after the latter came out and find it better for securing system-level NFS mounts between servers on a university network. At home it’s used to segment the QNAP NAS (a security risk promoted by the dog developer in the name of resilience through diversity). These uses are obviously different than the application suggested here.
Last edited by ejolson on Thu Oct 06, 2022 2:40 pm, edited 1 time in total.

bls
Posts: 2699
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: Running a personal VPN

Thu Oct 06, 2022 2:38 pm

ejolson wrote:
Thu Oct 06, 2022 2:24 pm
I see your point. While additional software may be needed, WireGuard is notable for its simplicity; while built in, IPsec is notable for its complexity. Which offers better security is unknown; which is a better solution depends on the application.

I switched from IPsec to WireGuard soon after the latter came out and find it better for securing system-level NFS mounts between servers on a university network. That’s obviously different than the application suggested here.
Absolutely agree that the choice of VPN technology is usage-dependent. The top 3 technologies each have strengths and weaknesses, so understanding what you're trying to accomplish, and what technology helps do that the best is pretty important.

Although I haven't installed and used WireGuard (too many other projects :roll: ), I have spent time looking at it, and it looks very impressive. My sense is that it's better for site-to-site or server-to-server VPNs than client/server, but that's just an early outside-looking-in perspective.

As far as the complexity issue, indeed, ipsec has a ton of controls. The good news is that most can be completely ignored by most readers in this forum by using a tool that masks virtually all the complexity. My sense is that a lot of the ipsec complexity is for interoperability between various ipsec VPN vendors.

It's quite easy to set up an ipsec VPN, in fact, most people can do it less than an hour using the tool I mentioned above.Similar tools (pivpn, etc) exist for ovpn and wg, of course. My point is that ipsec complexity isn't visible for people running home VPN servers.
Pi tools:
Quickly and easily build customized exactly as-you-want SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure IPSEC/IKEV2 VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

ejolson
Posts: 10212
Joined: Tue Mar 18, 2014 11:47 am

Re: Running a personal VPN

Thu Oct 06, 2022 2:42 pm

bls wrote:
Thu Oct 06, 2022 2:38 pm
ejolson wrote:
Thu Oct 06, 2022 2:24 pm
I see your point. While additional software may be needed, WireGuard is notable for its simplicity; while built in, IPsec is notable for its complexity. Which offers better security is unknown; which is a better solution depends on the application.

I switched from IPsec to WireGuard soon after the latter came out and find it better for securing system-level NFS mounts between servers on a university network. That’s obviously different than the application suggested here.
Absolutely agree that the choice of VPN technology is usage-dependent. The top 3 technologies each have strengths and weaknesses, so understanding what you're trying to accomplish, and what technology helps do that the best is pretty important.

Although I haven't installed and used WireGuard (too many other projects :roll: ), I have spent time looking at it, and it looks very impressive. My sense is that it's better for site-to-site or server-to-server VPNs than client/server, but that's just an early outside-looking-in perspective.

As far as the complexity issue, indeed, ipsec has a ton of controls. The good news is that most can be completely ignored by most readers in this forum by using a tool that masks virtually all the complexity. My sense is that a lot of the ipsec complexity is for interoperability between various ipsec VPN vendors.

It's quite easy to set up an ipsec VPN, in fact, most people can do it less than an hour using the tool I mentioned above.Similar tools (pivpn, etc) exist for ovpn and wg, of course. My point is that ipsec complexity isn't visible for people running home VPN servers.
Since the Pi doesn’t have hardware AES instructions, what cypher do you recommend for IPsec on a Pi?

User avatar
thagrol
Posts: 8160
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK

Re: Running a personal VPN

Thu Oct 06, 2022 2:49 pm

Guys, I suspect a factor in the choice is what the OP acutally wants to do. Which they haven't said.

Combine the networks in both locations into one?
Allow access between both networks without joining them into one subnet?
Provide an exit node for their local machine to the internet at the remote location (e.g. to circumvent geoblocking on web sites or streaming services) with no other access between devices on the two networks?

It's my experience that wireguard won't be teh best choice for the first of those as it operates too high up in the network stack to be part of a bridge.
Knowledge, skills, & experience have value. If you expect to profit from someone's you should expect to pay for them.

All advice given is based on my experience. it worked for me, it may not work for you.
Need help? https://github.com/thagrol/Guides

ejolson
Posts: 10212
Joined: Tue Mar 18, 2014 11:47 am

Re: Running a personal VPN

Thu Oct 06, 2022 3:09 pm

thagrol wrote:
Thu Oct 06, 2022 2:49 pm

It's my experience that wireguard won't be teh best choice for the first of those as it operates too high up in the network stack to be part of a bridge.
That’s right. WireGuard provides a guarantee that every IP number associated with the VPN has been cryptographically verified, so you can’t make a bridge. You can, however, route packets over WireGuard to connect two private networks.

bls
Posts: 2699
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: Running a personal VPN

Thu Oct 06, 2022 3:55 pm

ejolson wrote:
Thu Oct 06, 2022 2:42 pm

Since the Pi doesn’t have hardware AES instructions, what cypher do you recommend for IPsec on a Pi?
In the case of client/server VPNs, you're typically constrained by the ciphers supported by the client OS. Apple and Microsoft are quite restrictive in the ciphers they support for ipsec. pistrong is quite prescriptive about this, although you can easily edit the tunnel config files to change the ciphers if desired.

There's obviously more flexibility when using a server-to-server VPN and you control both ends of the VPN, such as Linux on either end.

I have had a TODO item for my tool, "In-depth crypto performance/security tradeoff evaluation", that I've made exactly zero progress on. I keep hoping someone who is interested in this will take it up, but so far, no luck :roll:

I've found that RDP over the VPN (on a Pi4) from a Win10/Win11 laptop connecting to a Windows desktop at home provides quite good interactive performance, and it uses AES. Pulling down large files from home to my remote device can be a bit slow, but not in the "I hate this performance" range.

I do have an x64 system that I could use to run the VPN, and I have run it there in the past, but I favor the ease of rebuilding Pi systems over getting the highest VPN performance. I swapped from the x64 to a Pi4 when the Pi4 came out and haven't regretted it.
Pi tools:
Quickly and easily build customized exactly as-you-want SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure IPSEC/IKEV2 VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

bls
Posts: 2699
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: Running a personal VPN

Thu Oct 06, 2022 3:57 pm

thagrol wrote:
Thu Oct 06, 2022 2:49 pm
Guys, I suspect a factor in the choice is what the OP acutally wants to do. Which they haven't said.

Combine the networks in both locations into one?
Allow access between both networks without joining them into one subnet?
Provide an exit node for their local machine to the internet at the remote location (e.g. to circumvent geoblocking on web sites or streaming services) with no other access between devices on the two networks?

It's my experience that wireguard won't be teh best choice for the first of those as it operates too high up in the network stack to be part of a bridge.
Agree that it would be very helpful for OP to discuss how they want to use the VPN, as I said before "the choice of VPN technology is usage-dependent".
Pi tools:
Quickly and easily build customized exactly as-you-want SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure IPSEC/IKEV2 VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

User avatar
MikeDB
Posts: 1364
Joined: Sun Oct 12, 2014 8:27 am

Re: Running a personal VPN

Thu Oct 06, 2022 10:13 pm

bls wrote:
Thu Oct 06, 2022 3:57 pm
Agree that it would be very helpful for OP to discuss how they want to use the VPN, as I said before "the choice of VPN technology is usage-dependent".
Don't want to go into too many details but basically we've lost our person in the US who subscribed to various sites for us and need a temporary work-around until Florida is put back together again.
Last edited by MikeDB on Thu Oct 06, 2022 10:47 pm, edited 1 time in total.
Always interested in innovative audio startups needing help and investment. Look for InPoSe Ltd or Future Horizons on LinkedIn to find me (same avatar photograph)

epoch1970
Posts: 8168
Joined: Thu May 05, 2016 9:33 am
Location: France

Re: Running a personal VPN

Thu Oct 06, 2022 10:37 pm

Make the U.S. Pi a router running a client openvpn process.
When connected to the UK, have the client share its local network and default route. A client in the UK will exit to the internet from the U.S.
You can simulate all that on a LAN with a few cables, an isp box and a smartphone.

You’ll be using 1/3 party LAN and internet access, just as a pirate would; make sure your friend is friendly.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

bls
Posts: 2699
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: Running a personal VPN

Thu Oct 06, 2022 10:55 pm

Things to check on when considering a VPN:
  • Need a static public IP address or DDNS
  • Server side cannot be behind CGNat
  • Router at the server end can do port forward to the VPN server if/as needed
And...management Plan B: If the VPN Server is remote, you may want to enable cert-only ssh access into the VPN server so you can do remote administration if the VPN server is being feisty.
Pi tools:
Quickly and easily build customized exactly as-you-want SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure IPSEC/IKEV2 VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

trejan
Posts: 5109
Joined: Tue Jul 02, 2019 2:28 pm

Re: Running a personal VPN

Thu Oct 06, 2022 11:09 pm

If this is only for infrequent use and you've already got a server elsewhere then a reverse SSH proxy is simple and easy. Run a SOCKS server on the remote Pi then tunnel to that over the SSH connection. It is also handy as a backup way to get into a remote device.

No requirement for the endpoint to have a public or static IP and no ports need to be opened.

Create a sshproxy user on both the Pi and the server. Generate a SSH keypair on the Pi for the sshproxy user. Add the public key to the authorised_keys file on the server for sshproxy user. Add the service below and start/enable it. Change the port and server address to suit.

Code: Select all

[Unit]
Description=Reverse SSH proxy
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -N -R *:8001:localhost:22 sshproxy@example.com
User=sshproxy
Group=sshproxy
Restart=always
RestartSec=60
StartLimitBurst=0

[Install]
WantedBy=multi-user.target
SSHing into your server on chosen port is equivalent to SSHing into the remote Pi. Host key checking is intentionally disabled just in case you do reinstall the server etc...

User avatar
thagrol
Posts: 8160
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK

Re: Running a personal VPN

Thu Oct 06, 2022 11:25 pm

MikeDB wrote:
Thu Oct 06, 2022 10:13 pm
bls wrote:
Thu Oct 06, 2022 3:57 pm
Agree that it would be very helpful for OP to discuss how they want to use the VPN, as I said before "the choice of VPN technology is usage-dependent".
Don't want to go into too many details but basically we've lost our person in the US who subscribed to various sites for us and need a temporary work-around until Florida is put back together again.
So working around geoblocking then. I'm fairly ambivalent about that but others (including ISPs and service providers) may not be.

If the data volume is low and you're not worried about latency have you considered using the TOR network (or browser) with an exit node in the US?
Knowledge, skills, & experience have value. If you expect to profit from someone's you should expect to pay for them.

All advice given is based on my experience. it worked for me, it may not work for you.
Need help? https://github.com/thagrol/Guides

pidd
Posts: 4149
Joined: Fri May 29, 2020 8:29 pm
Location: Wirral, UK

Re: Running a personal VPN

Fri Oct 07, 2022 12:35 am

If you just want to work around geoblocking the easiest way is to purchase a normal VPN service like NordVPN or Surfshark etc.

I use Surfshark on my Pi with their chromium extension and have a choice of loads of locations around the world, including Tampa and Orlando. Works on PC's Iphone's and most devices. Setting up was easy. I've never had a problem with speed never mind which country I hop through. Its about £40 for 12 months or £50 for 24 months.

I think NordVPN is generally better rated but I don't see how it could be better than what I have.

The only device where it is harder to set up is my Amazon Fire Tablet, I think that has to use OpenVPN to access Surfshark,

EDIT: I don't think any UK ISP's block VPN.

ejolson
Posts: 10212
Joined: Tue Mar 18, 2014 11:47 am

Re: Running a personal VPN

Fri Oct 07, 2022 2:54 pm

trejan wrote:
Thu Oct 06, 2022 11:09 pm
If this is only for infrequent use and you've already got a server elsewhere then a reverse SSH proxy is simple and easy. Run a SOCKS server on the remote Pi then tunnel to that over the SSH connection. It is also handy as a backup way to get into a remote device.

No requirement for the endpoint to have a public or static IP and no ports need to be opened.

Create a sshproxy user on both the Pi and the server. Generate a SSH keypair on the Pi for the sshproxy user. Add the public key to the authorised_keys file on the server for sshproxy user. Add the service below and start/enable it. Change the port and server address to suit.

Code: Select all

[Unit]
Description=Reverse SSH proxy
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -N -R *:8001:localhost:22 sshproxy@example.com
User=sshproxy
Group=sshproxy
Restart=always
RestartSec=60
StartLimitBurst=0

[Install]
WantedBy=multi-user.target
SSHing into your server on chosen port is equivalent to SSHing into the remote Pi. Host key checking is intentionally disabled just in case you do reinstall the server etc...
Another advantage of ssh tunnels is they tend to blend in better with other traffic and so satisfy the undetectable desire a little better than WireGuard or IPsec.

My opinion is geoblocking clearly goes against the original design goals of the Internet and there should be regulatory provisions to prevent it. In particular, blocks based on ethnicity, nationality, location and so forth have human-rights implications that are likely to get worse if not legally addressed.

From another point of view, the legitimate need for security and privacy provided by a VPN is so important that using one to circumvent geoblocking is unproductive.

While it doesn't seem like an emergency at the moment, maybe there needs to be a discussion whether any geoblocking is a good idea before neural networks are widely deployed that determine who can access what resources.

User avatar
thagrol
Posts: 8160
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK

Re: Running a personal VPN

Fri Oct 07, 2022 8:17 pm

ejolson wrote:
Fri Oct 07, 2022 2:54 pm
My opinion is geoblocking clearly goes against the original design goals of the Internet and there should be regulatory provisions to prevent it. In particular, blocks based on ethnicity, nationality, location and so forth have human-rights implications that are likely to get worse if not legally addressed.

From another point of view, the legitimate need for security and privacy provided by a VPN is so important that using one to circumvent geoblocking is unproductive.

While it doesn't seem like an emergency at the moment, maybe there needs to be a discussion whether any geoblocking is a good idea before neural networks are widely deployed that determine who can access what resources.
In principle I agree with you. Particularly when blocks are based on things like ethnicity, religion, and politics. I agree on the privacy and security issues too.

Unfortunately while content owners continue to have different distrubution arangements in different territories, countries continue to have different copyright laws, countries continue to have different moral standards we're going to be stuck with geoblocking.

Especially while rights holders like the MPAA and RIAA have the money and influence that they do (remember Napster? the recent changes to remove common carrier protections from ISP in the USA?)

TL;DR: state sponsored/mandated geoblocking=bad. Content owners opting to block access from some territories=it's their choice and their right to do so,

And don't forget that the internet was never designed to be what it is today. It's been cobbled together over the decades.
Knowledge, skills, & experience have value. If you expect to profit from someone's you should expect to pay for them.

All advice given is based on my experience. it worked for me, it may not work for you.
Need help? https://github.com/thagrol/Guides

Return to “Networking and servers”