VPN for node behind NAT?

KD7LXL · August 5, 2016, 4:59pm

I'd like to hear what solutions people have come up with for placing a
node behind NAT where port forwarding is not available, such as a
cellular CGN, public wifi hotspot, public agency's network controlled
by an IT department, etc. My experience with this is mostly using
RTCMs which work fine behind NAT and can connect out to my Asterisk
instance running in a datacenter. I am trying to substitute a URI and
RPi in this scenario.

Assuming this is a permanent, private link, I think these options are available:
- Set the RPi to connect to the hub on startup. If initiating the
connecting from inside the NAT, I think it will allow traffic to flow
both ways?
- Install an OpenVPN server on the hub and OpenVPN client on the RPi.
Tunnel Asterisk traffic over OpenVPN.
- Reverse SSH tunnel. Set the hub to connect to the node on 127.0.0.2
or whatever I bind the tunnel to.

Has anyone tried any of these options? How did it perform? What other
options do I have? What am I missing?

Tom KD7LXL

David_McGough · August 5, 2016, 5:17pm

Tom,

OpenVPN, running in UDP-tunnel mode, is typically my VPN solution of
choice for AllStar and it works great...

73, David KB4FXC

···

On Fri, 5 Aug 2016, Tom Hayward wrote:

I'd like to hear what solutions people have come up with for placing a
node behind NAT where port forwarding is not available, such as a
cellular CGN, public wifi hotspot, public agency's network controlled
by an IT department, etc. My experience with this is mostly using
RTCMs which work fine behind NAT and can connect out to my Asterisk
instance running in a datacenter. I am trying to substitute a URI and
RPi in this scenario.

Assuming this is a permanent, private link, I think these options are available:
- Set the RPi to connect to the hub on startup. If initiating the
connecting from inside the NAT, I think it will allow traffic to flow
both ways?
- Install an OpenVPN server on the hub and OpenVPN client on the RPi.
Tunnel Asterisk traffic over OpenVPN.
- Reverse SSH tunnel. Set the hub to connect to the node on 127.0.0.2
or whatever I bind the tunnel to.

Has anyone tried any of these options? How did it perform? What other
options do I have? What am I missing?

Tom KD7LXL
_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

K1lnx · August 5, 2016, 6:23pm

OpenVPN, running in UDP-tunnel mode, is typically my VPN solution of
choice for AllStar and it works great…

ditto… I use it for a variety of things, and we use it exclusively on our DMR network with Ubiquiti routers, works like a champ.

73

Stephen

K1LNX

···

On Fri, Aug 5, 2016 at 1:17 PM, David McGough kb4fxc@inttek.net wrote:

Tom,

OpenVPN, running in UDP-tunnel mode, is typically my VPN solution of

choice for AllStar and it works great…

73, David KB4FXC

On Fri, 5 Aug 2016, Tom Hayward wrote:

I’d like to hear what solutions people have come up with for placing a

node behind NAT where port forwarding is not available, such as a

cellular CGN, public wifi hotspot, public agency’s network controlled

by an IT department, etc. My experience with this is mostly using

RTCMs which work fine behind NAT and can connect out to my Asterisk

instance running in a datacenter. I am trying to substitute a URI and

RPi in this scenario.

Assuming this is a permanent, private link, I think these options are available:

Set the RPi to connect to the hub on startup. If initiating the

connecting from inside the NAT, I think it will allow traffic to flow

both ways?

Install an OpenVPN server on the hub and OpenVPN client on the RPi.

Tunnel Asterisk traffic over OpenVPN.

Reverse SSH tunnel. Set the hub to connect to the node on 127.0.0.2

or whatever I bind the tunnel to.

Has anyone tried any of these options? How did it perform? What other

options do I have? What am I missing?

Tom KD7LXL

App_rpt-users mailing list

App_rpt-users@ohnosec.org

http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the “Unsubscribe or edit options button”

You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

App_rpt-users mailing list

App_rpt-users@ohnosec.org

http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the “Unsubscribe or edit options button”

You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

N5zua · August 5, 2016, 6:50pm

Has anyone made any notes or videos on how to
install and configure both ends of OpenVPN, or is it “so easy,
even an idiot can do it”?

  N5ZUA

···

On 8/5/2016 1:23 PM, Stephen - K1LNX
wrote:

        OpenVPN, running in UDP-tunnel

mode, is typically my VPN solution of

                  choice for AllStar and it works

great…

      ditto... I use it for a variety of things, and we use it
exclusively on our DMR network with Ubiquiti routers, works
like a champ.�

73

Stephen

K1LNX�

      On Fri, Aug 5, 2016 at 1:17 PM, David

McGough kb4fxc@inttek.net
wrote:

        Tom,



        OpenVPN, running in UDP-tunnel mode, is typically my VPN

solution of

        choice for AllStar and it works great...



        73, David KB4FXC




            On Fri, 5 Aug 2016, Tom Hayward wrote:



            > I'd like to hear what solutions people have come up

with for placing a

            > node behind NAT where port forwarding is not

available, such as a

            > cellular CGN, public wifi hotspot, public agency's

network controlled

            > by an IT department, etc. My experience with this

is mostly using

            > RTCMs which work fine behind NAT and can connect

out to my Asterisk

            > instance running in a datacenter. I am trying to

substitute a URI and

            > RPi in this scenario.

            >

            > Assuming this is a permanent, private link, I think

these options are available:

            > - Set the RPi to connect to the hub on startup. If

initiating the

            > connecting from inside the NAT, I think it will

allow traffic to flow

            > both ways?

            > - Install an OpenVPN server on the hub and OpenVPN

client on the RPi.

            > Tunnel Asterisk traffic over OpenVPN.

            > - Reverse SSH tunnel. Set the hub to connect to the

node on 127.0.0.2

            > or whatever I bind the tunnel to.

            >

            > Has anyone tried any of these options? How did it

perform? What other

            > options do I have? What am I missing?

            >

            > Tom KD7LXL

            > _______________________________________________

            > App_rpt-users mailing list

            > App_rpt-users@ohnosec.org

            > [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)

            >

            > To unsubscribe from this list please visit [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)
            and scroll down to the bottom of the page. Enter your

email address and press the “Unsubscribe or edit options
button”

            > You do not need a password to unsubscribe, you can

do it via email confirmation. If you have trouble
unsubscribing, please send a message to the list
detailing the problem.

            >



            _______________________________________________

            App_rpt-users mailing list

            App_rpt-users@ohnosec.org

            [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)



            To unsubscribe from this list please visit [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)
            and scroll down to the bottom of the page. Enter your

email address and press the “Unsubscribe or edit options
button”

            You do not need a password to unsubscribe, you can do it

via email confirmation. If you have trouble
unsubscribing, please send a message to the list
detailing the problem.




_______________________________________________
App_rpt-users mailing list
To unsubscribe from this list please visit and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

App_rpt-users@ohnosec.org http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

KD7LXL · August 5, 2016, 6:58pm

I'm working through this tutorial now:

DigitalOcean usually has quality, generic tutorials for things like
this. So far, all of the commands and package names have been 100%
compatible with DIAL.

Tom KD7LXL

···

On Fri, Aug 5, 2016 at 11:50 AM, Steve Agee <n5zua@earthlink.net> wrote:

Has anyone made any notes or videos on how to install and configure both
ends of OpenVPN, or is it "so easy, even an idiot can do it"?

N5ZUA

KD7LXL · August 5, 2016, 7:34pm

Okay, not completely true. I ignored the whole section on ufw, because
DIAL doesn't have ufw. Also, when you get to the point of starting the
service, rather than service openvpn start, the command on DIAL is:

systemctl start openvpn@server.service

This assumes your config file is /etc/openvpn/server.conf. For
/etc/openvpn/xxx.conf, you would do systemctl start
openvpn@xxx.service.

Tom KD7LXL

···

On Fri, Aug 5, 2016 at 11:58 AM, Tom Hayward <tom@tomh.us> wrote:

On Fri, Aug 5, 2016 at 11:50 AM, Steve Agee <n5zua@earthlink.net> wrote:

Has anyone made any notes or videos on how to install and configure both
ends of OpenVPN, or is it "so easy, even an idiot can do it"?

N5ZUA

I'm working through this tutorial now:
How To Set Up an OpenVPN Server on Ubuntu 14.04 | DigitalOcean

DigitalOcean usually has quality, generic tutorials for things like
this. So far, all of the commands and package names have been 100%
compatible with DIAL.

K1lnx · August 5, 2016, 7:45pm

If you need a firewall, just use good 'ol iptables or a package called Shorewall, both deliver good results. I am not a fan of UFW, as I found it to be counter-productive.

Here’s a good generator for iptables rules:

http://www.mista.nu/iptables/

What I do is drop these into a script and call it at startup.

73

Stephen

K1LNX

···

On Fri, Aug 5, 2016 at 3:34 PM, Tom Hayward tom@tomh.us wrote:

On Fri, Aug 5, 2016 at 11:58 AM, Tom Hayward tom@tomh.us wrote:

On Fri, Aug 5, 2016 at 11:50 AM, Steve Agee n5zua@earthlink.net wrote:

Has anyone made any notes or videos on how to install and configure both

ends of OpenVPN, or is it “so easy, even an idiot can do it”?

N5ZUA

I’m working through this tutorial now:

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04

DigitalOcean usually has quality, generic tutorials for things like

this. So far, all of the commands and package names have been 100%

compatible with DIAL.

Okay, not completely true. I ignored the whole section on ufw, because

DIAL doesn’t have ufw. Also, when you get to the point of starting the

service, rather than service openvpn start, the command on DIAL is:

systemctl start openvpn@server.service

This assumes your config file is /etc/openvpn/server.conf. For

/etc/openvpn/xxx.conf, you would do systemctl start

openvpn@xxx.service.

Tom KD7LXL

App_rpt-users mailing list

App_rpt-users@ohnosec.org

http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the “Unsubscribe or edit options button”

You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.