Simplest 3G/4G connection for Pi, must work headless and stand-alone

Further there is a load of misinformation and worse about VPNs on Ubuntu, for example (and this is by no means the worst) take a look at:-
https://thishosting.rocks/how-to-set-up-openvpn-on-ubuntu/
It says you do things like:-
$ SSH root@
No Ubuntu system has has a root login for years (if ever)! Not to mention that the command before for obtaining the IP address is rubbish. (We'll ignore the uppper case ssh)
Other VPN tutorials are just as bad.
... and how does installing a VPN make my access to the internet more secure??? It makes access from *my* site A to *my* site B more secure but not much else.
It really gives me bad vibes about using a VPN.
--
Chris Green
Reply to
Chris Green
Loading thread data ...
Yes that's the case for any "normal" account. In Australia there is/was at least one reseller offering mobile broadband accounts with a fixed IPv4 address, on either the Telstra or Optus networks. You paid for it of course, but it wasn't big $$$.
Odds are that the OP isn't in Australia, so I won't bother trying to dig up the link. But I'm guessing that there would be similar options in their country if they looked hard enough. Mobile broadband is now used quite a bit in industry for this sort of thing.
--
__          __ 
#_ < |\| |< _#
Reply to
Computer Nerd Kev
This depends on the provider. I've been using mobile broadband for my home internet for years, from various providers. At least one rounded up the data used over certain connection periods for charging purposes. Maybe you'll avoid that if the connection never does go dead, but on the other hand it might trigger regular round-ups to 1MB just because an open connection gets rounded up to 1MB every so often by their system.
This is a "try it and see" sort of thing, terms of service documents can be long and detailed, but often don't actually match the reality of how their system works. Some providers round up by KB instead of MB, by the way.
This is based on experience with mobile broadband providers in Australia only.
--
__          __ 
#_ < |\| |< _#
Reply to
Computer Nerd Kev
It used to be that Three (UK), on the 3internet APN, would get you a public (variable) IPv4 address. Using the three.co.uk APN would put you behind CGNAT. I don't know if that's still the case. I think the public IP still had some degree of firewalling (so you couldn't run some protocols).
A&A will provide you a fixed IPv4 address on their data SIMs:
formatting link
(appears to use the Three network and AQL's M2M service)
Theo
Reply to
Theo
Re: Re: Simplest 3G/4G connection for Pi, must work headless and stand-alo By: Chris Green to druck on Mon Dec 28 2020 12:46 pm
VPN capable routers are used mainly for enterprise /small businesses.
The idea is that you have an office in Berlin with LAN A, and an office in Washington with LAN B. You configure your routers to establish a virtual private network between them so both LANS are merged (sort of).
ie:
LAN A has subnet 192.168.10.0/

LAN B has 192.168.20.0/
The router generated VPN makes it so a computer in LAN A can use a network printer with ip 192.168.20.5 in LAN B, access a file server which is not allowed traffic to the open internet at 192.168.20.11 (LAN B) etc as if both networks where directlñy connected, instead of separated by the whole Internet. In fact the connection between the two networks is encrypted and thus deemed private.
This is the most common scenario that you find documented for VPN enabled routers, followed by the road-warrior setup (you use VPN in order to allow a laptop using an insecure LAN connect to your office in Berlin and access resources in LAN A as if the laptop was in Berlin's office).
--
gopher://gopher.richardfalken.com/1/richardfalken
Reply to
Richard Falken
Yes, absolutely, trying to find the *actual* way they charge is very often well nigh impossible and they usually don't know themselves (or at least the people you talk to don't know).
--
Chris Green
Reply to
Chris Green
OP here - I'm in the UK but the system this is for will be in France. So digging out specialist providers and such is one level more difficult than doing it 'at home'.
--
Chris Green
Reply to
Chris Green
Yes, it can. A VPN client behaves as a computer with two (or more) network interfaces. A single workstation client will by default route its outgoing packets to its VPN client software for transmission down the tunnel (obviously except the VPN protocol packets themselves, which are routed as normal through the computer's hardware network interface), but the hardware interface can still accept packets from other local computers, and may be configured to also route some or all of them into the VPN. It's also obvious why the network address for local LAN and remote network must be different, having the same network address on two interfaces of the same computer never works well.
Three VPN scenarios:
1) Default gateway router is a VPN client to a remote network. All outgoing packets (except the VPN protocol itself) go through the VPN. All computers using the router automatically use the VPN with no change in routing necessary.
2) Single workstation is the VPN client. All its packets route through the VPN. No routing change required. All other computers in the local LAN unaffected.
3) Computer within the LAN (i.e. not the default gateway) is the VPN client to the remote network. Other local computers which wish to use the VPN must treat the VPN client as the gateway to the remote network(s), so a routing change in the client is required, as well as enabling IP forwarding in the VPN computer and possibly adjusting its firewall.
The first and last are 'site-to-site' VPNs, handling multiple clients. Best done by scenario 1), but can be done by 3) if the gateway cannot be a client of the VPN type required. Most modern routers can be client or server to some VPN types e.g. IPSec and PPTP, but not usually OpenVPN.
Note that many types of VPN (e.g. IPSec and PPTP) can only support one tunnel between a given pair of IP addresses. OpenVPN can use any port, so multiple tunnels are allowed, but IPSec and PPTP both use a TCP control channel and another IP protocol which does not have the concept of ports. So two or more workstations within the same (NATed) LAN must use site-to-site to reach the same remote network if using one of these VPN types.
--
Joe
Reply to
Joe
That is what any smart phone in your pocket does. Why should it? In reality all that is going on is keepalive packets going to the cell tower and probably keepalive packets keeping alive any TCP connection you have
--
"In our post-modern world, climate science is not powerful because it is  
true: it is true because it is powerful." 
 Click to see the full signature
Reply to
The Natural Philosopher
Asus router support OpenVPN client and server out of the box. Any router supported by OpenWrt is also OK.
---druck
Reply to
druck
Here's your network
a) Router b) OpenVPN server c) Other local machine(s)
and
d) Remote machine
You need to set up your router so it forwards port UDP/1194 to the IP address of OpenVPN server (b), as the OpenVPN client on (d) will connect to the external (WAN) address of (a), and this traffic is handled by (b).
The OpenVPN server on (b) will assign a private subnet for the remote devices which is different to your local network subnet. When OpenVPN server is running on the router it will use DHCP to tell the other local machines (c) to route this subnet through it. But if you are using a separate OpenVPN server (b), you either need to manually add a route to its DHCP table, or set up the routing on each the other machines (c) so the remote subnet is routed via (b), rather than defaulting to the router.
That all seemed a lot easier to explain before I started writing this post!
---druck
Reply to
druck
If a router 'supports VPN' what does that actually mean?
Presumably it doesn't mean that the router runs as a VPN server, or does it?
If my router supports VPN (which it does, a Draytek 2860N) and I enable it what else needs to happen to make it useful? ... and what does my LAN behind the router look like, is it *all* on the VPN by default or what? ... and how do I connect a remote system to the VPN?
--
Chris Green
Reply to
Chris Green
There are many varieties of VPN using different protocols OpenVPN is just one of them (other common ones are IPSec and PPTP), many consider it the best of them.
It might depending on what support is on the router - nearly all routers will act as PPTP client not so many as anything else. As mentioned above Asus and routers running OpenWrt support OpenVPN both as client and server.
I could be wrong but I'm pretty sure the Draytek routers only support being a PPTP client so that they can connect you to a corporate VPN. To be certain you'd have to look in the Draytek documentation.
--
Steve O'Hara-Smith                          |   Directable Mirror Arrays 
C:\>WIN                                     | A better way to focus the sun 
 Click to see the full signature
Reply to
Ahem A Rivet's Shot
Just a thought, but have you considered using SMS to ask the remote end to initiate the connection?
You send a text saying 'wake up now', the boat receives it, 'dials' a 3G/LTE connection and connects to your VPN (or SSH tunnel). Now you can access it. After a while of inactivity it drops the connection and goes back to sleep.
If the duty cycle is low (eg you connect for 5 minutes a week) it could work out cheaper than having an always-on VPN connection that's consuming traffic in keepalives.
That also means you can use any SIM you like, so pick whatever tariff suits you.
Typically, dongles provide multiple USB-UART channels - one for the PPP data connection, another for signal stats and SMS, maybe a third for something else (GPS?). I don't know the best framework for handling the SMS side, but at the least something polling it with AT commands would do.
Theo
Reply to
Theo
Re: Re: Simplest 3G/4G connection for Pi, must work headless and stand-alo By: Chris Green to Richard Falken on Tue Dec 29 2020 09:43 am
I just had a crazy idea.
Why don't you set a Tor or I2P hidden service for the service running on your boat?
You can set an i2p node in your Raspberry, and it will work even if the mobile connection the raspberry uses is behind Carrier Grade NAT or whatever have you.
Your i2p node can get an i2p address assigned. Then you can access it using an i2p client from anywhere in the world.
Advantage: easy to deploy. Disadvantage: You need to install i2p in any machine you want to access the raspberry from. Disadvantage 2: It has a bandwidth overhead, so it may damage your bills if they charge you for data volumes. Disadvantage 3: Lag is going to be bad, specially is your mobile signal is bad quality. If the mobile signal is reeeeally bad then this approach becomes unusable in practice.
--
gopher://gopher.richardfalken.com/1/richardfalken
Reply to
Richard Falken
Fair comment. The only GSM dongle I've tried or needed to try, back in 2004, came with a Vodafone sim. However, it turned out that I was in a not-spot where the dongle would connect, but couldn't transfer data.
Fortunately, I was able to send it back and get a refund.
BTW, the program I used to access the dongle on an old Lenovo running Red Hat Linux 7.1 (that dates it!), gcom, was a command-line utility that executed a user-modifiable script to connect to the network and manage data transfers. I don't know if its still around or needed, but the documentation was excellent and all in its manpage.
--
--   
Martin    | martin at 
 Click to see the full signature
Reply to
Martin Gregorie
That actually sounds reasonable. Whenever I come across a non-free hotspot around here it's something like 5$ per hour. I'm never sure whether it's me losing his mind and going off the rocker or they are.
--




/ \  Mail | -- No unannounced, large, binary attachments, please! --
Reply to
Axel Berger
-=> Kees Nuyt wrote to Deloptes Nowadays it's easy to set up a VPN server with KN> PiVPN
Many appliance routers can run DD-WRT or OpenWRT, and it can act as a OpenVPN client or server. I'm about to order a Pi, though, and PiVPN looks like a nice tool to use instead - and to get familiar with the Pi.
The one thing I've been trying to figure out is how to use OpenVPN to route selected traffic through a local node but route the rest over the internet. Netflix doesn't like VPNs, and I want to be able to get local TV stations outside of my area with an app that limits available channels to your local area. I'm hoping it's easier to set up than with DD-WRT.
kurt weiske | kweiske at realitycheckbbs dot org |
formatting link
| 1:218/700@fidonet

... Discover your formulas and abandon them
Reply to
Kurt Weiske
AB> It's me, there's a lot I don't know about networks, but I do not AB> understand that sentence at all, not one little bit.
The SSH protocol allows for port forwarding, which allows network traffic to be routed over it. Connect via SSH to one of the machines in your university, configure SSH port forwarding, and with a little work all web traffic will go over the ssh tunnel to your university and appear to come from your university instead of your home.
It's a little deep to try and explain off the top of my head, there are a lot of tutorials on the web that'll explain it better than I can.
kurt weiske | kweiske at realitycheckbbs dot org poindexter fortran | pfortran at realitycheckbbs dot org |
formatting link
| 1:218/700@fidonet

... Discover your formulas and abandon them
Reply to
Kurt Weiske
There are two levels: first is to pass the VPN protocol at all, in either direction. This isn't relevant to OpenVPN, but some other types of VPN use two channels like FTP. Like FTP, they require a conntrack module in the stateful firewall to associate the two channels, to allow one to pass when only the other has been seen by the firewall. I've seen routers that supposedly have 'PPTP passthrough' which do not, in fact, do it correctly. VPNs are an afterthought to router manufacturers. Draytek was always notable for having better VPN implementations than most other makes at a comparable price.
Secondly there is actual VPN client or server support, often described as 'VPN endpoint'.
At the second level, yes.
It depends on the type of VPN. Some like OpenVPN are normally secured by certificates, some just by password. They will often need a key at both ends for use in the symmetrical encryption. Asymmetrical encryption can be provided by the certificate, but that is generally too slow to have a decent performance.
If the router is the endpoint, then all the LAN is potentially available to the client. If the router has a decent firewall user interface, then access can be tailored so that only certain LAN computers are visible. Ideally the router should connect to the LAN via a separate firewall computer running iptables or nftables, which allow very fine-grained control in forwarding. Of course, the LAN computer firewalls can also permit packets on only certain ports when arriving from the router.
Give the VPN client the public IP address or hostname, and tell it to connect. Network Manager works fairly well these days, and has plugins for some VPNs. Obviously arrange for the client to have any keys or certificates it requires. It is wise to have human intervention required e.g. to have a private key encrypted with a good passphrase which is not entrusted to the VPN client, so if the key becomes compromised it can be cancelled and replaced without much risk of intrusion. I keep OpenVPN, ssh and other keys on a USB stick in my wallet, so even if I lose a laptop, my home network is still safe, and if I lose the wallet, the encryption passphrase isn't stored on the stick.
--
Joe
Reply to
Joe

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.