Michael,
Thanks for all your good advice!
1. It seems that the Orbi VPN works out of the box if I use NetworkManager
(which is the gnome settings panel I mentioned). I just imported the client
file from my router into NetworkManger, and connected to the VPN and my
network. The Orbi client contains several certs in the config file and I
did not need to create my own.
2. ZeroTier is amazing! In 10 minutes I had three computers on my network
connected and could access them from off my network (i.e. my phone as a
hotspot). One question - do you disconnect from ZeroTier each time you quit
(i.e. zerotier-cli leave), or just leave it connected when you shutdown
your computer?
3. The Orbi routers (i.e. Netgear) has a web based interface, and I can
access that interface from anywhere (on or off my network) using a set of
login credentials. VPN and ZeroTier not needed. The Orbi routers and APs
work really well as a mesh network with wired or wifi backhaul.
4. Don't know if you have seen these -
https://www.amazon.com/Keep-Connect-Limited-Edition/dp/B09M31MZK5/ref=sr_1_3?crid=2GZHBQVUMKB1Y&keywords=keep+connect&qid=1684561692&sprefix=keep+connec%2Caps%2C151&sr=8-3&ufe=app_do%3Aamzn1.fos.006c50ae-5d4c-4777-9bc0-4513d670b6bc,
but they work really well to make my network self-healing. Cox goes up and
down in my area a lot, and these devices automatically detect when the
Internet is not working (ping and dns tests), and reboots my router and
access points when needed.
Thanks again!
Mark
On Fri, May 19, 2023 at 10:41 AM Michael Butash <
michael@butash.net> wrote:
> Some comments:
>
> >> 1. I believe the client.ovpn file goes into /etc/openvpn/clients -
> correct?
> This is variable, depending on how you use your client. I'd say 99% of
> the time you'll want to use NetworkManager to do so, install the
> network-manager ovpn plugin and reproduce those settings as these are
> outside those client configurations.
>
> >> I use Cox as my Internet provider, so the remote xxxxx.hopto.org yyyyy should
> take care of my changing IP from Cox. Is that correct? I have an account
> with no-ip to track my changing IP from Cox.
> As long as dynamic dns is updating no-ip record, it should, but test with
> your IP directly if DNS isn't resolving for some reason.
>
> >> Should proto also have TCP?
> Use UDP normally, tcp over tcp is never a good thing (think duplication of
> syn/ack behavior)
>
> >> What should I call this file? Is it enabled by default since it is in
> the clients folder?
> This is normally used when daemonizing client in the OS, such as a
> persistent gateway connection (I do this with my firewall, opnsense to
> forward selective traffic out my Internet VPN). You'll want to normally
> use NetworkManager as stated above, which uses its own configuration stack.
>
> >> 2. Do I need to set up any special routes on my router to get from the
> outside to my server on port 22 for ssh?
> When connecting to your router, connect to the internal IP of the router
> (ie. 192.168.1.1 or whatever), or setup internal dns for it.
>
> >> 3. In the gnome settings panel there is a VPN drop down under
> networking. Do I have to do anything with that?
> No idea, haven't used gnome since gnome3 ruined it. Just use
> NetworkManager, it will give you a wizard for setting up openvpn as a
> client, and give you an easy task menu icon to turn on/off as any vpn cisco
> or other.
>
> >> 4. What command do I use to connect to my server using the vpn? I don't
> want to use the VPN when I am on my network at home, just when I travel.
> Yet again, use NetworkManager as your client, unless you really want to
> invoke it via cli or as a daemon automatically, but these are likely NOT
> your use cases.
>
> Another comment re: certificates, not sure how your router contraption
> handles ovpn and certificates, you really need a basic Certificate
> Authority, and not sure most handle this well. When I've used ovpn on my
> netgear with ddwrt, I used TinyCA to create my own CA trust chain certs
> <https://opsec.eu/src/tinyca/>, and generate per-client certs based on
> that. Unless your router is handling the CA and client certificate
> creation reasonably, I'd suggest looking at tinyca as well, and just add
> the appropriate cert portions in the server and client configs.
>
> TL:DR - Any more, unless your a legacy enterprise stuck in your ways luvin
> vpn long time and not up on networking, I'd look at using Zerotier or
> Tailscale these days. I just helped a partner in this same boat trying to
> get his accountants into his quickbook server, confused over setting up
> even a Cisco Meraki VPN, and rather than even try to troubleshoot Meraki
> garbage, I just set him up in a half hour using Zerotier, connected up two
> of his own boxes, and the rest of his team easily himself in the next
> hour. No fuss, no muss.
>
> Think of it as VPN without a gateway, rather persistent alway-on VPN
> between hosts ala software-defined networking magic, if you want to connect
> to your router only, assuming it has or can install Zerotier on it
> (opnsense, ddwrt/openwrt do) that is easy, or before my router could do
> Zerotier direct, just connect to another box on my zerotier network at
> home, and bounce off that as a bastion host.
>
> Someone else mentioned Zerotier here recently - it's money!
>
> HTH!
>
> -mb
>
>
> On Fri, May 19, 2023 at 8:47 AM Mark Phillips via PLUG-discuss <
> plug-discuss@lists.phxlinux.org> wrote:
>
>> I know there are a lot of articles about configuring OpenVPN on the
>> Internet, but I am having trouble finding one that fits my situation. I
>> believe I have all the pieces, just not sure how to put them all together.
>>
>> I have a Ubuntu 22.04 laptop connected to my local network with OpenVPN
>> installed. I have another Ubuntu 22.04 server on the same network. When I
>> travel, I would like to access the server over ssh. My router has OpenVPN
>> installed by default, so that seems to be a good solution. I downloaded the
>> preconfigured client .ovpn file from the router.
>>
>> 1. I believe the client.ovpn file goes into /etc/openvpn/clients -
>> correct?
>> The client file has this configuration, and then a lot of certificates:
>> client
>> dev tun
>> proto udp
>> remote xxxxx.hopto.org yyyyy #
>> resolv-retry infinite
>> nobind
>> persist-key
>> persist-tun
>> I use Cox as my Internet provider, so the remote xxxxx.hopto.org yyyyy should
>> take care of my changing IP from Cox. Is that correct? I have an account
>> with no-ip to track my changing IP from Cox.
>> Should proto also have TCP?
>> What should I call this file? Is it enabled by default since it is in the
>> clients folder?
>>
>> 2. Do I need to set up any special routes on my router to get from the
>> outside to my server on port 22 for ssh?
>>
>> 3. In the gnome settings panel there is a VPN drop down under networking.
>> Do I have to do anything with that?
>>
>> 4. What command do I use to connect to my server using the vpn? I don't
>> want to use the VPN when I am on my network at home, just when I travel.
>>
>> Thanks for your help!
>>
>> Mark
>> ---------------------------------------------------
>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
---------------------------------------------------
PLUG-discuss mailing list:
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)