[SOLVED] OpenVPN quick sanity check.

wh33t · 04-29-2020, 05:08 PM

Hey LQ,

I've got a nextcloud VM running on my home server. I want to give my parents access to it through the nextcloud desktop client app but I don't want to leave an http/s port open on my system. I'd much prefer to have them connect into my network through a VPN.

So my theory is I'll spin up a small VM whose only purpose in life is to receive VPN connections and that way all of my parents internet traffic is routed as if it were on my home network. They'll be able to access the nextcloud Vm by typing in a local address.

Is this the right idea? Any pros or cons you want me to be aware of?

Thanks in advance!

Also, if anyone can suggest a good windows vpn client (is there one built in yet?) that'd be great too.

IlyaK · 04-29-2020, 06:21 PM

I am not familiar with nextcloud, but generally you are right: VPN is the right solution to give your parents access to services of your network. Just make sure that your VPN server would be accessible from the Internet.
Some people have private IP addresses, so they can't create VPN server.

Also make sure that their local network has different addresses. If your server happens to have same IP as their router (192.168.1.1 for example) you will be in trouble)

Another approach would be Windows machine with RDP access (I assume they are using Windows), but VPN is better.

Windows only supports IPSec/IKEv2 out of the box. On Linux side you can use StrongSWAN for IKE, but there is a free OpenVPN client for Windows.

While IKE is more flexible, it is much more complex and harder to configure and debug. So, install OpenVPN client on Windows and use it

Here are some ideas no how to secure it:
* Use Server Mode instead of p2p (static key) mode. With Server mode OpenVPN implements Perfect Forward Security: keys are changed automatically.
* If you know your parents IP address, then only allow access to your VPN from their IP (using iptables or something like that).
* Use some random port: not 443 and not 8443. Networks are scanned by robots constantly

wh33t · 04-29-2020, 07:05 PM

Quote:

Originally Posted by IlyaK

I am not familiar with nextcloud, but generally you are right: VPN is the right solution to give your parents access to services of your network. Just make sure that your VPN server would be accessible from the Internet.
Some people have private IP addresses, so they can't create VPN server.

Also make sure that their local network has different addresses. If your server happens to have same IP as their router (192.168.1.1 for example) you will be in trouble)

Another approach would be Windows machine with RDP access (I assume they are using Windows), but VPN is better.

Windows only supports IPSec/IKEv2 out of the box. On Linux side you can use StrongSWAN for IKE, but there is a free OpenVPN client for Windows.

While IKE is more flexible, it is much more complex and harder to configure and debug. So, install OpenVPN client on Windows and use it

Here are some ideas no how to secure it:
* Use Server Mode instead of p2p (static key) mode. With Server mode OpenVPN implements Perfect Forward Security: keys are changed automatically.
* If you know your parents IP address, then only allow access to your VPN from their IP (using iptables or something like that).
* Use some random port: not 443 and not 8443. Networks are scanned by robots constantly

Thank you!

NextCloud is a fork of OwnCloud, and it's trying so hard to be Google Docs/Drive etc.