Joe  wrote:
> >
> > If my router supports VPN (which it does, a Draytek 2860N) and I
> > enable it what else needs to happen to make it useful?
>
> It depends on the type of VPN. Some like OpenVPN are normally secured
> by certificates, some just by password. They will often need a key at
> both ends for use in the symmetrical encryption. Asymmetrical encryption
> can be provided by the certificate, but that is generally too slow to
> have a decent performance.
>
I guess that's part of my issue with all this.  I don't need speed,
all I need is something fast enough to handle interactive terminal
usage.  Neither do I need security, the remote system has no personal
information on it at all, the only data to be stolen is temperatures,
voltages and other measurements on my boat.

All I need is a reliable piece of wet string between me and the SBC on
the boat.  :-)


> > ... and what
> > does my LAN behind the router look like, is it *all* on the VPN by
> > default or what?  ... and how do I connect a remote system to the VPN?
> >
> >
> If the router is the endpoint, then all the LAN is potentially
> available to the client. If the router has a decent firewall user
> interface, then access can be tailored so that only certain LAN
> computers are visible. Ideally the router should connect to the LAN via
> a separate firewall computer running iptables or nftables, which allow
> very fine-grained control in forwarding.  Of course, the LAN computer
> firewalls can also permit packets on only certain ports when arriving
> from the router.
>
I don't need or want any of that, the remote machine doesn't need to
be able to see my home LAN at all, it's the other direction I need.


> >  ... and how do I connect a remote system to the VPN?
>
> Give the VPN client the public IP address or hostname, and tell it to
> connect. Network Manager works fairly well these days, and has plugins
> for some VPNs.

It's a headless system so command line only and I want it to be able
to boot up into a connected state without any local interaction.


>                  Obviously arrange for the client to have any keys or
> certificates it requires. It is wise to have human intervention required
> e.g. to have a private key encrypted with a good passphrase which is not
> entrusted to the VPN client, so if the key becomes compromised it can
> be cancelled and replaced without much risk of intrusion. I keep
> OpenVPN, ssh and other keys on a USB stick in my wallet, so even if I
> lose a laptop, my home network is still safe, and if I lose the wallet,
> the encryption passphrase isn't stored on the stick.
>
Yes, VPNs aren't really designed for what I want to do are they!

It's possible to use a VPN to get to what I want but it's hardly the
obvious/ideal way to do it.

I think in reality my existing setup (behind a WiFi NAT firewall)
using ssh tunnels is much closer to what I need than a VPN.  It'll
work just as well behind a 3G/4G router that's NAT'ted.

--
Chris Green
·

--- SoupGate-Win32 v1.05