Further there is a load of misinformation and worse about VPNs on
Ubuntu, for example (and this is by no means the worst) take a look
It says you do things like:-
$ SSH root@
No Ubuntu system has has a root login for years (if ever)! Not to
mention that the command before for obtaining the IP address is
rubbish. (We'll ignore the uppper case ssh)
Other VPN tutorials are just as bad.
... and how does installing a VPN make my access to the internet more
secure??? It makes access from *my* site A to *my* site B more secure
but not much else.
It really gives me bad vibes about using a VPN.
Yes that's the case for any "normal" account. In Australia there
is/was at least one reseller offering mobile broadband accounts
with a fixed IPv4 address, on either the Telstra or Optus networks.
You paid for it of course, but it wasn't big $$$.
Odds are that the OP isn't in Australia, so I won't bother trying to
dig up the link. But I'm guessing that there would be similar
options in their country if they looked hard enough. Mobile
broadband is now used quite a bit in industry for this sort of
This depends on the provider. I've been using mobile broadband for
my home internet for years, from various providers. At least one
rounded up the data used over certain connection periods for
charging purposes. Maybe you'll avoid that if the connection never
does go dead, but on the other hand it might trigger regular
round-ups to 1MB just because an open connection gets rounded up
to 1MB every so often by their system.
This is a "try it and see" sort of thing, terms of service
documents can be long and detailed, but often don't actually match
the reality of how their system works. Some providers round up by
KB instead of MB, by the way.
This is based on experience with mobile broadband providers in
It used to be that Three (UK), on the 3internet APN, would get you a public
(variable) IPv4 address. Using the three.co.uk APN would put you behind
CGNAT. I don't know if that's still the case. I think the public IP still
had some degree of firewalling (so you couldn't run some protocols).
A&A will provide you a fixed IPv4 address on their data SIMs:
(appears to use the Three network and AQL's M2M service)
Re: Re: Simplest 3G/4G connection for Pi, must work headless and stand-alo
By: Chris Green to druck on Mon Dec 28 2020 12:46 pm
VPN capable routers are used mainly for enterprise /small businesses.
The idea is that you have an office in Berlin with LAN A, and an office in
Washington with LAN B. You configure your routers to establish a virtual
private network between them so both LANS are merged (sort of).
LAN A has subnet 192.168.10.0/
LAN B has 192.168.20.0/
The router generated VPN makes it so a computer in LAN A can use a network
printer with ip 192.168.20.5 in LAN B, access a file server which is not
allowed traffic to the open internet at 192.168.20.11 (LAN B) etc as if both
networks where directlñy connected, instead of separated by the whole
Internet. In fact the connection between the two networks is encrypted and thus
This is the most common scenario that you find documented for VPN enabled
routers, followed by the road-warrior setup (you use VPN in order to allow a
laptop using an insecure LAN connect to your office in Berlin and access
resources in LAN A as if the laptop was in Berlin's office).
Yes, it can. A VPN client behaves as a computer with two (or more)
network interfaces. A single workstation client will by default route
its outgoing packets to its VPN client software for transmission down
the tunnel (obviously except the VPN protocol packets themselves,
which are routed as normal through the computer's hardware network
interface), but the hardware interface can still accept packets from
other local computers, and may be configured to also route some or all
of them into the VPN. It's also obvious why the network address for
local LAN and remote network must be different, having the same network
address on two interfaces of the same computer never works well.
Three VPN scenarios:
1) Default gateway router is a VPN client to a remote network. All
outgoing packets (except the VPN protocol itself) go through the VPN.
All computers using the router automatically use the VPN with no change
in routing necessary.
2) Single workstation is the VPN client. All its packets route through
the VPN. No routing change required. All other computers in the local
3) Computer within the LAN (i.e. not the default gateway) is the VPN
client to the remote network. Other local computers which wish to use
the VPN must treat the VPN client as the gateway to the remote
network(s), so a routing change in the client is required, as well as
enabling IP forwarding in the VPN computer and possibly adjusting its
The first and last are 'site-to-site' VPNs, handling multiple clients.
Best done by scenario 1), but can be done by 3) if the gateway cannot
be a client of the VPN type required. Most modern routers can be client
or server to some VPN types e.g. IPSec and PPTP, but not usually
Note that many types of VPN (e.g. IPSec and PPTP) can only support one
tunnel between a given pair of IP addresses. OpenVPN can use any port,
so multiple tunnels are allowed, but IPSec and PPTP both use a TCP
control channel and another IP protocol which does not have the concept
of ports. So two or more workstations within the same (NATed) LAN must
use site-to-site to reach the same remote network if using one of these
That is what any smart phone in your pocket does. Why should it? In
reality all that is going on is keepalive packets going to the cell
tower and probably keepalive packets keeping alive any TCP connection
"In our post-modern world, climate science is not powerful because it is
true: it is true because it is powerful."
Here's your network
b) OpenVPN server
c) Other local machine(s)
d) Remote machine
You need to set up your router so it forwards port UDP/1194 to the IP
address of OpenVPN server (b), as the OpenVPN client on (d) will connect
to the external (WAN) address of (a), and this traffic is handled by (b).
The OpenVPN server on (b) will assign a private subnet for the remote
devices which is different to your local network subnet. When OpenVPN
server is running on the router it will use DHCP to tell the other local
machines (c) to route this subnet through it. But if you are using a
separate OpenVPN server (b), you either need to manually add a route to
its DHCP table, or set up the routing on each the other machines (c) so
the remote subnet is routed via (b), rather than defaulting to the router.
That all seemed a lot easier to explain before I started writing this post!
If a router 'supports VPN' what does that actually mean?
Presumably it doesn't mean that the router runs as a VPN server, or
If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful? ... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?
There are many varieties of VPN using different protocols OpenVPN
is just one of them (other common ones are IPSec and PPTP), many consider
it the best of them.
It might depending on what support is on the router - nearly all
routers will act as PPTP client not so many as anything else. As mentioned
above Asus and routers running OpenWrt support OpenVPN both as client and
I could be wrong but I'm pretty sure the Draytek routers only
support being a PPTP client so that they can connect you to a corporate
VPN. To be certain you'd have to look in the Draytek documentation.
Steve O'Hara-Smith | Directable Mirror Arrays
C:\>WIN | A better way to focus the sun
Just a thought, but have you considered using SMS to ask the remote end to
initiate the connection?
You send a text saying 'wake up now', the boat receives it, 'dials' a 3G/LTE
connection and connects to your VPN (or SSH tunnel). Now you can access it.
After a while of inactivity it drops the connection and goes back to sleep.
If the duty cycle is low (eg you connect for 5 minutes a week) it could work
out cheaper than having an always-on VPN connection that's consuming traffic
That also means you can use any SIM you like, so pick whatever tariff suits
Typically, dongles provide multiple USB-UART channels - one for the PPP data
connection, another for signal stats and SMS, maybe a third for something
else (GPS?). I don't know the best framework for handling the SMS side, but
at the least something polling it with AT commands would do.
Re: Re: Simplest 3G/4G connection for Pi, must work headless and stand-alo
By: Chris Green to Richard Falken on Tue Dec 29 2020 09:43 am
I just had a crazy idea.
Why don't you set a Tor or I2P hidden service for the service running on your
You can set an i2p node in your Raspberry, and it will work even if the mobile
connection the raspberry uses is behind Carrier Grade NAT or whatever have you.
Your i2p node can get an i2p address assigned. Then you can access it using an
i2p client from anywhere in the world.
Advantage: easy to deploy.
Disadvantage: You need to install i2p in any machine you want to access the
Disadvantage 2: It has a bandwidth overhead, so it may damage your bills if
they charge you for data volumes.
Disadvantage 3: Lag is going to be bad, specially is your mobile signal is bad
quality. If the mobile signal is reeeeally bad then this approach becomes
unusable in practice.
Fair comment. The only GSM dongle I've tried or needed to try, back in
2004, came with a Vodafone sim. However, it turned out that I was in a
not-spot where the dongle would connect, but couldn't transfer data.
Fortunately, I was able to send it back and get a refund.
BTW, the program I used to access the dongle on an old Lenovo running Red
Hat Linux 7.1 (that dates it!), gcom, was a command-line utility that
executed a user-modifiable script to connect to the network and manage
data transfers. I don't know if its still around or needed, but the
documentation was excellent and all in its manpage.
That actually sounds reasonable. Whenever I come across a non-free
hotspot around here it's something like 5$ per hour. I'm never sure
whether it's me losing his mind and going off the rocker or they are.
/ \ Mail | -- No unannounced, large, binary attachments, please! --
-=> Kees Nuyt wrote to Deloptes Nowadays it's easy to set up a VPN server with
Many appliance routers can run DD-WRT or OpenWRT, and it can act as a
OpenVPN client or server. I'm about to order a Pi, though, and PiVPN
looks like a nice tool to use instead - and to get familiar with the
The one thing I've been trying to figure out is how to use OpenVPN to
route selected traffic through a local node but route the rest over
the internet. Netflix doesn't like VPNs, and I want to be able to get
local TV stations outside of my area with an app that limits
available channels to your local area. I'm hoping it's easier to set
up than with DD-WRT.
kurt weiske | kweiske at realitycheckbbs dot org
AB> It's me, there's a lot I don't know about networks, but I do not
AB> understand that sentence at all, not one little bit.
The SSH protocol allows for port forwarding, which allows network
traffic to be routed over it. Connect via SSH to one of the machines
in your university, configure SSH port forwarding, and with a little
work all web traffic will go over the ssh tunnel to your university
and appear to come from your university instead of your home.
It's a little deep to try and explain off the top of my head, there
are a lot of tutorials on the web that'll explain it better than I
kurt weiske | kweiske at realitycheckbbs dot org
poindexter fortran | pfortran at realitycheckbbs dot org
There are two levels: first is to pass the VPN protocol at all, in
either direction. This isn't relevant to OpenVPN, but some other types
of VPN use two channels like FTP. Like FTP, they require a conntrack
module in the stateful firewall to associate the two channels, to allow
one to pass when only the other has been seen by the firewall. I've
seen routers that supposedly have 'PPTP passthrough' which do not, in
fact, do it correctly. VPNs are an afterthought to router
manufacturers. Draytek was always notable for having better VPN
implementations than most other makes at a comparable price.
Secondly there is actual VPN client or server support, often described
as 'VPN endpoint'.
At the second level, yes.
It depends on the type of VPN. Some like OpenVPN are normally secured
by certificates, some just by password. They will often need a key at
both ends for use in the symmetrical encryption. Asymmetrical encryption
can be provided by the certificate, but that is generally too slow to
have a decent performance.
If the router is the endpoint, then all the LAN is potentially
available to the client. If the router has a decent firewall user
interface, then access can be tailored so that only certain LAN
computers are visible. Ideally the router should connect to the LAN via
a separate firewall computer running iptables or nftables, which allow
very fine-grained control in forwarding. Of course, the LAN computer
firewalls can also permit packets on only certain ports when arriving
from the router.
Give the VPN client the public IP address or hostname, and tell it to
connect. Network Manager works fairly well these days, and has plugins
for some VPNs. Obviously arrange for the client to have any keys or
certificates it requires. It is wise to have human intervention required
e.g. to have a private key encrypted with a good passphrase which is not
entrusted to the VPN client, so if the key becomes compromised it can
be cancelled and replaced without much risk of intrusion. I keep
OpenVPN, ssh and other keys on a USB stick in my wallet, so even if I
lose a laptop, my home network is still safe, and if I lose the wallet,
the encryption passphrase isn't stored on the stick.