Are there any simple 3G/4G add-ons for a Pi that will allow it to
power up into a mode where it has the ability to be connected to via
the mobile data connection?

I want a system that I can connect to from my home desktop/laptop on
demand.

Sort of 'thinking out loud' about this:-

I suppose a USB 3G/4G dongle could provide the hardware required
to make a mobile connection to the PI, recommendations?

It has to 'connect on demand' dialling *to* the Pi, it can't keep
the line open all the time, very expensive!

So, is there software for Linux (and thus for the Pi) which will
handle incoming calls to allow ssh login?

How does one manage the other end? Is there Linux desktop
software to allow one to dial up a remote system and then squirt
ssh down the connection?

Any/all ideas would be very welcome.

I'm happy with fairly low-level stuff, I am a retired software
engineer, grew up with Unix (solaris) command line and I'm also quite
into home-build electronics projects.


--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 27/12/2020 12:42, Chris Green wrote:

Are there any simple 3G/4G add-ons for a Pi that will allow it to
power up into a mode where it has the ability to be connected to via
the mobile data connection?

I want a system that I can connect to from my home desktop/laptop on
demand.

Sort of 'thinking out loud' about this:-

I suppose a USB 3G/4G dongle could provide the hardware required
to make a mobile connection to the PI, recommendations?

It has to 'connect on demand' dialling *to* the Pi, it can't keep
the line open all the time, very expensive!

Why? a smart phone sim is a charge per gigabyte, They are always on for
data!

So, is there software for Linux (and thus for the Pi) which will
handle incoming calls to allow ssh login?

Just use an IP capable dongle forget about 'incoming calls' and ssh
riught in. Biggest problem will be on what IP address you appear,

How does one manage the other end? Is there Linux desktop
software to allow one to dial up a remote system and then squirt
ssh down the connection?

3G/4G is not 'dial up!

Any/all ideas would be very welcome.

Look I think you have got the wrong end of the stick about how mobile IP works...where is this pi going to be? Do you have a fixed IP address on
your ISP interface?

Its almost impossible to set up a mobile connection to receive
unsolicited IP. The mobile provider will absolutely do massive NAT. So
you need the Pi to be always online and connected to something that you
can contact, and the figure out a way to hijack the link. Just running keepalive packets wont break the bank.

sshing in wont be trivial but without knowing what you want to do with
the pi its hard to say whether you need to,. For example just polling a webserver the pi could detect a request for data and uplaod it to the
webserver where you could download it., Even to the point of downloading
a command line off the server executing it on the pi and sending stdout
back to the server...

I'm happy with fairly low-level stuff, I am a retired software
engineer, grew up with Unix (solaris) command line and I'm also quite
into home-build electronics projects.

Start with the assumption that you cant open a connection to a mobile
equpped pi, but 'always on' FROM the pi wont be costly.

--
How fortunate for governments that the people they administer don't think.

Adolf Hitler

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

In message <83cmbh-3vl4.ln1@esprimo.zbmc.eu>
Chris Green <cl@isbd.net> wrote:

Are there any simple 3G/4G add-ons for a Pi that will allow it to power up into a mode where it has the ability to be connected to via the mobile data connection?

I want a system that I can connect to from my home desktop/laptop on
demand.

Sort of 'thinking out loud' about this:-

I suppose a USB 3G/4G dongle could provide the hardware required
to make a mobile connection to the PI, recommendations?

It has to 'connect on demand' dialling *to* the Pi, it can't keep
the line open all the time, very expensive!

So, is there software for Linux (and thus for the Pi) which will
handle incoming calls to allow ssh login?

How does one manage the other end? Is there Linux desktop
software to allow one to dial up a remote system and then squirt
ssh down the connection?

Any/all ideas would be very welcome.

I'm happy with fairly low-level stuff, I am a retired software engineer,
grew up with Unix (solaris) command line and I'm also quite into home-build electronics projects.

It seems very much to me that this depends on whether the Pi can have
a fixed IP address, or be behind a router that supports Dynamic DNS.
If either of those is true, you can ssh to it easily.

If you have no idea of its IP address, then it gets somewhat harder.

Tell us a bit more about the Pi's connectivity, and we may be able to
help you more.

David

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

"Chris Green" <cl@isbd.net> wrote in message news:83cmbh-3vl4.ln1@esprimo.zbmc.eu...

Are there any simple 3G/4G add-ons for a Pi that will allow it to
power up into a mode where it has the ability to be connected to via
the mobile data connection?

I want a system that I can connect to from my home desktop/laptop on
demand.

Sort of 'thinking out loud' about this:-

I suppose a USB 3G/4G dongle could provide the hardware required
to make a mobile connection to the PI, recommendations?

It has to 'connect on demand' dialling *to* the Pi, it can't keep
the line open all the time, very expensive!

So, is there software for Linux (and thus for the Pi) which will
handle incoming calls to allow ssh login?

How does one manage the other end? Is there Linux desktop
software to allow one to dial up a remote system and then squirt
ssh down the connection?

Any/all ideas would be very welcome.

I'm happy with fairly low-level stuff, I am a retired software
engineer, grew up with Unix (solaris) command line and I'm also quite
into home-build electronics projects.

As I understand it, data connections (as opposed to voice connections) are permanently on and don't accrue connection charges. You get a standard
amount of data per month that can be transferred over the connection, which varies according to the tariff.

So you need a USB mobile data device and a SIM with a suitable data tariff. Then you need a means of connecting to the Pi, in the same way that you
would if it was connected by Ethernet/wifi to your home network. VNC Server
on the Pi and VNC Client on the computers that will connect to the Pi will
give you a remote desktop. There maybe ways of doing it with PuTTY or other
ssh terminal apps, though I'm not sure how those handle you being connected
by a public WAN rather than LAN: I've only used Juice SSH on my mobile phone for connecting to my Pi over my private LAN.

Since you will be running the Pi headless, one little hint (in case you
haven't discovered this already) with the Pi 4: you need to tell the Pi to
boot even if it can't find a monitor connected by HDMI and to set the video mode which would normally be negotiated between Pi and monitor at boot time.

modify /boot/config.txt:

hdmi_force_hotplug=1 # allow Pi to boot with no monitor connected
hdmi_group=2
hdmi_mode=82 # force 1920x1080x60 even though monitor can’t be
auto-detected

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 27/12/2020 12:42, Chris Green wrote:

Are there any simple 3G/4G add-ons for a Pi that will allow it to
power up into a mode where it has the ability to be connected to via
the mobile data connection?

I want a system that I can connect to from my home desktop/laptop on demand.

Sort of 'thinking out loud' about this:-

I suppose a USB 3G/4G dongle could provide the hardware required
to make a mobile connection to the PI, recommendations?

It has to 'connect on demand' dialling *to* the Pi, it can't keep
the line open all the time, very expensive!

Why? a smart phone sim is a charge per gigabyte, They are always on for
data!

So does just trying to connect *to* the device which has the data sim
dongle wake up the connection? It means one needs a dynamic DNS
service but that's not a big problem.

So, is there software for Linux (and thus for the Pi) which will
handle incoming calls to allow ssh login?

Just use an IP capable dongle forget about 'incoming calls' and ssh
riught in. Biggest problem will be on what IP address you appear,

Yes, as I said it needs a dynamic DNS service but that's all.

How does one manage the other end? Is there Linux desktop
software to allow one to dial up a remote system and then squirt
ssh down the connection?

3G/4G is not 'dial up!

Any/all ideas would be very welcome.

Look I think you have got the wrong end of the stick about how mobile IP works...where is this pi going to be? Do you have a fixed IP address on
your ISP interface?

I probably have got it all wrong! The Pi is actually a Beaglebone
Black but that's irrelevant.

All I want to do is be able to use ssh to connect *to* the BBB from
home computers which have an internet connection. The BBB doesn't
have WiFi available.

Its almost impossible to set up a mobile connection to receive
unsolicited IP. The mobile provider will absolutely do massive NAT. So
you need the Pi to be always online and connected to something that you
can contact, and the figure out a way to hijack the link. Just running keepalive packets wont break the bank.

Currently it uses (rather flaky) marina WiFi and sets up ssh reverse
tunnels by connecting to an intermediate system so that I can then
connect *to* it via the intermediate system.

I am looking for something more reliable.

sshing in wont be trivial but without knowing what you want to do with
the pi its hard to say whether you need to,. For example just polling a webserver the pi could detect a request for data and uplaod it to the webserver where you could download it., Even to the point of downloading
a command line off the server executing it on the pi and sending stdout
back to the server...

I'm happy with fairly low-level stuff, I am a retired software
engineer, grew up with Unix (solaris) command line and I'm also quite
into home-build electronics projects.

Start with the assumption that you cant open a connection to a mobile
equpped pi, but 'always on' FROM the pi wont be costly.

So, if one has 'always on' FROM the pi does that then just require
some sort of dynamic dns service to be able to ssh *to* it?

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

NY <me@privacy.invalid> wrote:

"Chris Green" <cl@isbd.net> wrote in message news:83cmbh-3vl4.ln1@esprimo.zbmc.eu...

Are there any simple 3G/4G add-ons for a Pi that will allow it to
power up into a mode where it has the ability to be connected to via
the mobile data connection?

I want a system that I can connect to from my home desktop/laptop on demand.

Sort of 'thinking out loud' about this:-

I suppose a USB 3G/4G dongle could provide the hardware required
to make a mobile connection to the PI, recommendations?

It has to 'connect on demand' dialling *to* the Pi, it can't keep
the line open all the time, very expensive!

So, is there software for Linux (and thus for the Pi) which will
handle incoming calls to allow ssh login?

How does one manage the other end? Is there Linux desktop
software to allow one to dial up a remote system and then squirt
ssh down the connection?

Any/all ideas would be very welcome.

I'm happy with fairly low-level stuff, I am a retired software
engineer, grew up with Unix (solaris) command line and I'm also quite
into home-build electronics projects.

As I understand it, data connections (as opposed to voice connections) are permanently on and don't accrue connection charges. You get a standard
amount of data per month that can be transferred over the connection, which varies according to the tariff.

Yes, I don't think I realised this and it makes a big difference! Do
they care which direction the data goes?

Does it have to be a 'data only' SIM for this to work or would any SIM
with included data work OK?

So you need a USB mobile data device and a SIM with a suitable data tariff. Then you need a means of connecting to the Pi, in the same way that you
would if it was connected by Ethernet/wifi to your home network. VNC Server on the Pi and VNC Client on the computers that will connect to the Pi will give you a remote desktop. There maybe ways of doing it with PuTTY or other ssh terminal apps, though I'm not sure how those handle you being connected by a public WAN rather than LAN: I've only used Juice SSH on my mobile phone for connecting to my Pi over my private LAN.

I use ssh and command line for everything. Once both ends are
connected to the internet it 'just works', that's what I want.

Since you will be running the Pi headless, one little hint (in case you haven't discovered this already) with the Pi 4: you need to tell the Pi to boot even if it can't find a monitor connected by HDMI and to set the video mode which would normally be negotiated between Pi and monitor at boot time.

Yes, I know, I run several Pis headless. It's a good reminder though,
plus the real killer, the ssh daemon isn't enabled by default.


--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Chris Green wrote:

Are there any simple 3G/4G add-ons for a Pi that will allow it to
power up into a mode where it has the ability to be connected to via
the mobile data connection?

Not really, if the 4G connection is down, there's no remote way you can
ask it to come up, you could do something custom like sending an SMS to
the dongle (if the SIM supports SMS in addition to data) and have
something running on the Pi to bring up the 4G connection in response
(and maybe text you back the IP address it has)

The other possible wrinkle is that even with the 4G connection up, it
may be using CGNAT which doesn't allow inbound TCP connections, just
outbound, so again you might homebrew something that brings up a VPN
tunnel from the Pi end over the 4G, then you can connect though the
tunnel ...

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Chris Green wrote:

So does just trying to connect *to* the device which has the data sim
dongle wake up the connection?

A *little* bit more than that, a lot of 4G dongles still pretend to be
modems, using e.g. ATDT*99# command to "dial" the connection, no
dialling takes place, but it's a convenient lie to allow a PPP daemon to
bring up the 4G connection and get an IP addr etc.

It means one needs a dynamic DNS
service but that's not a big problem.

That'll work, provided your mobile provider gives you a public IP
address, not a private one that's NATed.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 27/12/2020 14:12, David Higton wrote:

In message <83cmbh-3vl4.ln1@esprimo.zbmc.eu>
Chris Green <cl@isbd.net> wrote:

Are there any simple 3G/4G add-ons for a Pi that will allow it to power up >> into a mode where it has the ability to be connected to via the mobile data >> connection?

I want a system that I can connect to from my home desktop/laptop on
demand.

Sort of 'thinking out loud' about this:-

I suppose a USB 3G/4G dongle could provide the hardware required
to make a mobile connection to the PI, recommendations?

It has to 'connect on demand' dialling *to* the Pi, it can't keep
the line open all the time, very expensive!

So, is there software for Linux (and thus for the Pi) which will
handle incoming calls to allow ssh login?

How does one manage the other end? Is there Linux desktop
software to allow one to dial up a remote system and then squirt
ssh down the connection?

Any/all ideas would be very welcome.

I'm happy with fairly low-level stuff, I am a retired software engineer,
grew up with Unix (solaris) command line and I'm also quite into home-build >> electronics projects.

It seems very much to me that this depends on whether the Pi can have
a fixed IP address, or be behind a router that supports Dynamic DNS.
If either of those is true, you can ssh to it easily.

If you have no idea of its IP address, then it gets somewhat harder.

By definition on a mobile network its behind a HUGE NAT proxy. Unless
you are supremely lucky and you het an IPV6 address

Tell us a bit more about the Pi's connectivity, and we may be able to
help you more.

David

--
Truth welcomes investigation because truth knows investigation will lead
to converts. It is deception that uses all the other techniques.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sun, 27 Dec 2020 14:27:46 +0000
Chris Green <cl@isbd.net> wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

Just use an IP capable dongle forget about 'incoming calls' and ssh
riught in. Biggest problem will be on what IP address you appear,

Yes, as I said it needs a dynamic DNS service but that's all.

It is possible to get a fixed, public IP address on a 4G SIM, but it
takes a bit of finding. Even then, the actual IP address is dynamic and private, but the 4G operator runs a NAT server to accept calls on a
fixed public address and route them to the SIM.

It's a common requirement, and the magic codeword is 'M2M' (machine to machine). You'll probably need to go to a specialist SIM provider, the
average high-street phone shop salesman won't have a clue what you're
talking about.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Andy Burns wrote:

if the 4G connection is down, there's no remote way you can
you could do something custom like sending an SMS to
the dongle [...] and have
something running on the Pi to bring up the 4G connection

But all-in-all, I think I'd just nail the VPN and/or 4G up all the time.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 27/12/2020 14:27, Chris Green wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 27/12/2020 12:42, Chris Green wrote:

Are there any simple 3G/4G add-ons for a Pi that will allow it to
power up into a mode where it has the ability to be connected to via
the mobile data connection?

I want a system that I can connect to from my home desktop/laptop on
demand.

Sort of 'thinking out loud' about this:-

I suppose a USB 3G/4G dongle could provide the hardware required
to make a mobile connection to the PI, recommendations?

It has to 'connect on demand' dialling *to* the Pi, it can't keep
the line open all the time, very expensive!

Why? a smart phone sim is a charge per gigabyte, They are always on for
data!

So does just trying to connect *to* the device which has the data sim
dongle wake up the connection? It means one needs a dynamic DNS
service but that's not a big problem.

So, is there software for Linux (and thus for the Pi) which will
handle incoming calls to allow ssh login?

Just use an IP capable dongle forget about 'incoming calls' and ssh
riught in. Biggest problem will be on what IP address you appear,

Yes, as I said it needs a dynamic DNS service but that's all.

How does one manage the other end? Is there Linux desktop
software to allow one to dial up a remote system and then squirt
ssh down the connection?

3G/4G is not 'dial up!

Any/all ideas would be very welcome.

Look I think you have got the wrong end of the stick about how mobile IP
works...where is this pi going to be? Do you have a fixed IP address on
your ISP interface?

I probably have got it all wrong! The Pi is actually a Beaglebone
Black but that's irrelevant.

All I want to do is be able to use ssh to connect *to* the BBB from
home computers which have an internet connection. The BBB doesn't
have WiFi available.

Its almost impossible to set up a mobile connection to receive
unsolicited IP. The mobile provider will absolutely do massive NAT. So
you need the Pi to be always online and connected to something that you
can contact, and the figure out a way to hijack the link. Just running
keepalive packets wont break the bank.

Currently it uses (rather flaky) marina WiFi and sets up ssh reverse
tunnels by connecting to an intermediate system so that I can then
connect *to* it via the intermediate system.

I am looking for something more reliable.

sshing in wont be trivial but without knowing what you want to do with
the pi its hard to say whether you need to,. For example just polling a
webserver the pi could detect a request for data and uplaod it to the
webserver where you could download it., Even to the point of downloading
a command line off the server executing it on the pi and sending stdout
back to the server...

I'm happy with fairly low-level stuff, I am a retired software
engineer, grew up with Unix (solaris) command line and I'm also quite
into home-build electronics projects.

Start with the assumption that you cant open a connection to a mobile
equpped pi, but 'always on' FROM the pi wont be costly.

So, if one has 'always on' FROM the pi does that then just require
some sort of dynamic dns service to be able to ssh *to* it?

No, not even that will work.

Because that will take you to the ISPS NAT router and there will be no
way to route onward to the Pi.

*Only if the Pi initiates the connection* will the NAT router set up a
mapping between public IP/port and PI IP/port.

Its analogous to your current wifi setup. The Pi will have to be online
and permanently connected in some way to a publiclly accessible server
that you can use as a gateway.

Thats how stuff like whatsapp or wificalling or skype, work on a mobile,
they are constantly polling a server registering what ip address and
socket they can be accessed on and when another phone contacts the
server it simply proxies the traffic or possibly tells them what ip to use.

You will need a server in public internet space I think. A virtual
private server can be VERY cheap if all you are running in it is a gateway.

I am not up in VPS so I would code up some custom daemon on one of my
VPSes. Then your clients would contact that daemon which would 'know'
where the Pi was, and perhaps start relaying packets down the pipe to te
pi.


--
Truth welcomes investigation because truth knows investigation will lead
to converts. It is deception that uses all the other techniques.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Andy Burns <usenet@andyburns.uk> wrote:

Chris Green wrote:

So does just trying to connect *to* the device which has the data sim dongle wake up the connection?

A *little* bit more than that, a lot of 4G dongles still pretend to be modems, using e.g. ATDT*99# command to "dial" the connection, no
dialling takes place, but it's a convenient lie to allow a PPP daemon to bring up the 4G connection and get an IP addr etc.

It means one needs a dynamic DNS
service but that's not a big problem.

That'll work, provided your mobile provider gives you a public IP
address, not a private one that's NATed.

Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.


--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 27/12/2020 15:08, Joe wrote:

On Sun, 27 Dec 2020 14:27:46 +0000
Chris Green <cl@isbd.net> wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

Just use an IP capable dongle forget about 'incoming calls' and ssh
riught in. Biggest problem will be on what IP address you appear,

Yes, as I said it needs a dynamic DNS service but that's all.

It is possible to get a fixed, public IP address on a 4G SIM, but it
takes a bit of finding. Even then, the actual IP address is dynamic and private, but the 4G operator runs a NAT server to accept calls on a
fixed public address and route them to the SIM.

It's a common requirement, and the magic codeword is 'M2M' (machine to machine). You'll probably need to go to a specialist SIM provider, the average high-street phone shop salesman won't have a clue what you're
talking about.

That I did NOT know. That simplifies everything


--
“The ultimate result of shielding men from the effects of folly is to
fill the world with fools.”

Herbert Spencer

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 27/12/2020 14:49, Andy Burns wrote:

Chris Green wrote:

So does just trying to connect *to* the device which has the data sim
dongle wake up the connection?

A *little* bit more than that, a lot of 4G dongles still pretend to be modems, using e.g. ATDT*99# command to "dial" the connection, no
dialling takes place, but it's a convenient lie to allow a PPP daemon to bring up the 4G connection and get an IP addr etc.

It means one needs a dynamic DNS
service but that's not a big problem.

That'll work, provided your mobile provider gives you a public IP
address, not a private one that's NATed.

thats a very very big IF.

I run a few public websites and trawl through the logs have happened
when they have been DOSed

All IP ranges from mobile devices have been NATed. It is extremely rare
to find *anyone* actually not behind a NAT router - some big companies.

Obviously if YOU control the NAT router not the mobile ISP, and THAT has
a fixed IP address you can set up an inbound connection but not many
people do.

--
Future generations will wonder in bemused amazement that the early
twenty-first century’s developed world went into hysterical panic over a globally average temperature increase of a few tenths of a degree, and,
on the basis of gross exaggerations of highly uncertain computer
projections combined into implausible chains of inference, proceeded to contemplate a rollback of the industrial age.

Richard Lindzen

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Andy Burns <usenet@andyburns.uk> wrote:

Chris Green wrote:

Are there any simple 3G/4G add-ons for a Pi that will allow it to
power up into a mode where it has the ability to be connected to via
the mobile data connection?

Not really, if the 4G connection is down, there's no remote way you can
ask it to come up, you could do something custom like sending an SMS to
the dongle (if the SIM supports SMS in addition to data) and have
something running on the Pi to bring up the 4G connection in response
(and maybe text you back the IP address it has)

The other possible wrinkle is that even with the 4G connection up, it
may be using CGNAT which doesn't allow inbound TCP connections, just outbound, so again you might homebrew something that brings up a VPN
tunnel from the Pi end over the 4G, then you can connect though the
tunnel ...

I already run ssh tunnels from the Pi (well it's a BBB actually) to
get through the NAT'ted WiFi connection so I can easily do the same to
use the 3G/4G.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 27/12/2020 15:26, Chris Green wrote:

Andy Burns <usenet@andyburns.uk> wrote:

Chris Green wrote:

So does just trying to connect *to* the device which has the data sim
dongle wake up the connection?

A *little* bit more than that, a lot of 4G dongles still pretend to be
modems, using e.g. ATDT*99# command to "dial" the connection, no
dialling takes place, but it's a convenient lie to allow a PPP daemon to
bring up the 4G connection and get an IP addr etc.

It means one needs a dynamic DNS
service but that's not a big problem.

That'll work, provided your mobile provider gives you a public IP
address, not a private one that's NATed.

Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.

That should work purrfect if you know how to so it, I dont


--
There is nothing a fleet of dispatchable nuclear power plants cannot do
that cannot be done worse and more expensively and with higher carbon
emissions and more adverse environmental impact by adding intermittent renewable energy.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 27/12/2020 15:08, Joe wrote:

On Sun, 27 Dec 2020 14:27:46 +0000
Chris Green <cl@isbd.net> wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

Just use an IP capable dongle forget about 'incoming calls' and ssh
riught in. Biggest problem will be on what IP address you appear,

Yes, as I said it needs a dynamic DNS service but that's all.

It is possible to get a fixed, public IP address on a 4G SIM, but it
takes a bit of finding. Even then, the actual IP address is dynamic and private, but the 4G operator runs a NAT server to accept calls on a
fixed public address and route them to the SIM.

It's a common requirement, and the magic codeword is 'M2M' (machine to machine). You'll probably need to go to a specialist SIM provider, the average high-street phone shop salesman won't have a clue what you're talking about.

That I did NOT know. That simplifies everything

I think it's quite expensive (M2M that is).

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

The Natural Philosopher <tnp@invalid.invalid> wrote:

Start with the assumption that you cant open a connection to a mobile
equpped pi, but 'always on' FROM the pi wont be costly.

So, if one has 'always on' FROM the pi does that then just require
some sort of dynamic dns service to be able to ssh *to* it?

No, not even that will work.

Because that will take you to the ISPS NAT router and there will be no
way to route onward to the Pi.

*Only if the Pi initiates the connection* will the NAT router set up a mapping between public IP/port and PI IP/port.

Its analogous to your current wifi setup. The Pi will have to be online
and permanently connected in some way to a publiclly accessible server
that you can use as a gateway.

OK, my current WiFi set up is (as a mobile connection would be) behind
a NAT router and I set up reverse ssh tunnels to allow me to connect
'on demand' to the Pi (BBB). So I can do exactly the same using the
mobile data connection.

Will the mobile provider object to the connection being up all the
time but with virtually no data going through it?

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 27/12/2020 14:49, Andy Burns wrote:

Chris Green wrote:

So does just trying to connect *to* the device which has the data sim
dongle wake up the connection?

A *little* bit more than that, a lot of 4G dongles still pretend to be modems, using e.g. ATDT*99# command to "dial" the connection, no
dialling takes place, but it's a convenient lie to allow a PPP daemon to bring up the 4G connection and get an IP addr etc.

It means one needs a dynamic DNS
service but that's not a big problem.

That'll work, provided your mobile provider gives you a public IP
address, not a private one that's NATed.

thats a very very big IF.

I run a few public websites and trawl through the logs have happened
when they have been DOSed

All IP ranges from mobile devices have been NATed. It is extremely rare
to find *anyone* actually not behind a NAT router - some big companies.

Obviously if YOU control the NAT router not the mobile ISP, and THAT has
a fixed IP address you can set up an inbound connection but not many
people do.

OP here. Yes, I get through a NAT router firewall already when
connecting via the (unreliable) marina WiFi by using ssh tunnelling.

The Pi (well BBB actually) makes an ssh connection out to an
intermediate system where I have an ssh login account and sets up
reverse tunnels to allow ssh from the 'outside' back into the BBB. It
works well apart from the marina WiFi disappearing at intervals.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sun, 27 Dec 2020 16:02:27 +0000, Chris Green wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 27/12/2020 15:08, Joe wrote:

On Sun, 27 Dec 2020 14:27:46 +0000 Chris Green <cl@isbd.net> wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

Just use an IP capable dongle forget about 'incoming calls' and ssh
riught in. Biggest problem will be on what IP address you appear,

Yes, as I said it needs a dynamic DNS service but that's all.

It is possible to get a fixed, public IP address on a 4G SIM, but it
takes a bit of finding. Even then, the actual IP address is dynamic
and private, but the 4G operator runs a NAT server to accept calls on
a fixed public address and route them to the SIM.

It's a common requirement, and the magic codeword is 'M2M' (machine
to machine). You'll probably need to go to a specialist SIM provider,
the average high-street phone shop salesman won't have a clue what
you're talking about.

That I did NOT know. That simplifies everything

I think it's quite expensive (M2M that is).

Nah, 3G/4G dongles are only as expensive as you want to make them.

A quick web search shows that they are available from eBay and Amazon.
The magic search term is "3G 4G dongle", which gets you links to 3G/4G
devices that look very similar to USB memory sticks.

Typically they use both 2.4 and 5 GHz bands and some also support
Bluetooth connectivity. Prices seem to range from around GBP 13.00
upwards to *HOW MUCH???*. They do purely data comms, of course, and
would seem provide much the same connectivity as any mains-powered wifi
router except for being smaller, lighter, powered from whatever its
plugged into and (quite probably) only provides a single connection to
the network.

IOW it does about the same job as the wifi link on a Pi 3, 4 or Zero W
except that it preferentially connects to a 3G or 4G base station rather
than to the nearest wifi router.


--
--
Martin | martin at
Gregorie | gregorie dot org

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sun, 27 Dec 2020 15:26:59 +0000
Chris Green <cl@isbd.net> wrote:

Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.

That or tunnel an IPv6 connection in from Hurricane Electric and
have a routed /64 to play with (or even a /48).

--
Steve O'Hara-Smith | Directable Mirror Arrays C:\>WIN | A better way to focus the sun
The computer obeys and wins. | licences available see
You lose and Bill collects. | http://www.sohara.org/

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sun, 27 Dec 2020 16:40:16 +0000, Martin Gregorie wrote:

IOW it does about the same job as the wifi link on a Pi 3, 4 or Zero W
except that it preferentially connects to a 3G or 4G base station rather
than to the nearest wifi router.

I meant to add: Most 3G/4G dongles come with software, but at least some
of them say 'iOS and Windows only', i.e. no Linux driver supplied, but
there are, or were, OSS drivers/FTP equivalent programs available for
Linux: I remember trying to use one back in 2005 - the software and
dongle seemed to work OK and connect to the phone network, but where I
was, out in the sticks, the connection was unuseably slow.


--
--
Martin | martin at
Gregorie | gregorie dot org

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Chris Green <cl@isbd.net> wrote:

OK, my current WiFi set up is (as a mobile connection would be) behind
a NAT router and I set up reverse ssh tunnels to allow me to connect
'on demand' to the Pi (BBB). So I can do exactly the same using the
mobile data connection.

Will the mobile provider object to the connection being up all the
time but with virtually no data going through it?

Mobile networks are often quite aggressive at killing idle connections
through their CG-NAT - 30 seconds idle is common, for example. To avoid
that you have to send keepalives, which will gradually consume your data allowance.

Sending packets from your device is fine - you can just set up a new connection. But receiving is difficult if the NAT mapping has gone away, so the external machine can't reach you. I'm not sure if there's a VPN
protocol that handles this appropriately without using keepalives.

It may be that using IPv6 avoids this problem.

Theo

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 27/12/2020 15:26, Chris Green wrote:

Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.

Or even better, use OpenVPN to allow the remote device to appear on your
local network. If your router supports OpenVPN, use that, otherwise run
it on a Raspberry Pi.

---druck

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Ahem A Rivet's Shot <steveo@eircom.net> wrote:

On Sun, 27 Dec 2020 15:26:59 +0000
Chris Green <cl@isbd.net> wrote:

Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.

That or tunnel an IPv6 connection in from Hurricane Electric and
have a routed /64 to play with (or even a /48).

How much do they charge for the /48 after you get the free tunnel ?

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Martin Gregorie <martin@mydomain.invalid> wrote:

On Sun, 27 Dec 2020 16:02:27 +0000, Chris Green wrote:

I think it's quite expensive (M2M that is).

Nah, 3G/4G dongles are only as expensive as you want to make them.

Hardware is cheap, a machine2machine airtime contract may not be.

Theo

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Martin Gregorie <martin@mydomain.invalid> wrote:

On Sun, 27 Dec 2020 16:02:27 +0000, Chris Green wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 27/12/2020 15:08, Joe wrote:

On Sun, 27 Dec 2020 14:27:46 +0000 Chris Green <cl@isbd.net> wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

Just use an IP capable dongle forget about 'incoming calls' and ssh
riught in. Biggest problem will be on what IP address you appear,

Yes, as I said it needs a dynamic DNS service but that's all.

It is possible to get a fixed, public IP address on a 4G SIM, but it
takes a bit of finding. Even then, the actual IP address is dynamic
and private, but the 4G operator runs a NAT server to accept calls on
a fixed public address and route them to the SIM.

It's a common requirement, and the magic codeword is 'M2M' (machine
to machine). You'll probably need to go to a specialist SIM provider,
the average high-street phone shop salesman won't have a clue what
you're talking about.

That I did NOT know. That simplifies everything

I think it's quite expensive (M2M that is).

Nah, 3G/4G dongles are only as expensive as you want to make them.

Dongles are as cheap as chips, it's the M2M SIM that costs.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

druck <news@druck.org.uk> wrote:

On 27/12/2020 15:26, Chris Green wrote:

Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.

Or even better, use OpenVPN to allow the remote device to appear on your local network. If your router supports OpenVPN, use that, otherwise run
it on a Raspberry Pi.

Whenever I try to understand how to configure OpenVPN I rapidly get
lost.

Presumably I'd run the remote Pi (the one on the boat in France) as a
VPN client and have the VPN server running on my home LAN somewhere.
I have two Pis already on my home LAN, one of them is a Pi 4, would
that be OK to run Open VPN server?

Does an Open VPN server play nicely with an existing LAN whose DNS and
DHCP is provided by (yet) another Pi on the LAN? I.e. does everything
else work as before locally with just the addition of the remote
system so that it adds itself to the existing LAN?

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Theo <theom+news@chiark.greenend.org.uk> wrote:

Chris Green <cl@isbd.net> wrote:

OK, my current WiFi set up is (as a mobile connection would be) behind
a NAT router and I set up reverse ssh tunnels to allow me to connect
'on demand' to the Pi (BBB). So I can do exactly the same using the
mobile data connection.

Will the mobile provider object to the connection being up all the
time but with virtually no data going through it?

Mobile networks are often quite aggressive at killing idle connections through their CG-NAT - 30 seconds idle is common, for example. To avoid
that you have to send keepalives, which will gradually consume your data allowance.

But a keepalive is only a character (or two), even if it sends a TCP
packet as a result that's 1500 bytes. Say 600 keepalives per Mb,
that's only a few Mb per day which shouldn't cost too much.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sun, 27 Dec 2020 18:05:45 +0000, Chris Green wrote:

Martin Gregorie <martin@mydomain.invalid> wrote:

On Sun, 27 Dec 2020 16:02:27 +0000, Chris Green wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 27/12/2020 15:08, Joe wrote:

On Sun, 27 Dec 2020 14:27:46 +0000 Chris Green <cl@isbd.net>
wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

Just use an IP capable dongle forget about 'incoming calls' and
ssh riught in. Biggest problem will be on what IP address you
appear,

Yes, as I said it needs a dynamic DNS service but that's all.

It is possible to get a fixed, public IP address on a 4G SIM, but
it takes a bit of finding. Even then, the actual IP address is
dynamic and private, but the 4G operator runs a NAT server to
accept calls on a fixed public address and route them to the SIM.

It's a common requirement, and the magic codeword is 'M2M'
(machine to machine). You'll probably need to go to a specialist
SIM provider,
the average high-street phone shop salesman won't have a clue what
you're talking about.

That I did NOT know. That simplifies everything

I think it's quite expensive (M2M that is).

Nah, 3G/4G dongles are only as expensive as you want to make them.

Dongles are as cheap as chips, it's the M2M SIM that costs.

Not all of 'em by any means - Amazon prices seem to run from 13 quid to
over 160.


--
--
Martin | martin at
Gregorie | gregorie dot org

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 27.12.20 20.04, Chris Green wrote:

druck <news@druck.org.uk> wrote:

On 27/12/2020 15:26, Chris Green wrote:

Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.

Or even better, use OpenVPN to allow the remote device to appear on your
local network. If your router supports OpenVPN, use that, otherwise run
it on a Raspberry Pi.

Whenever I try to understand how to configure OpenVPN I rapidly get
lost.

Presumably I'd run the remote Pi (the one on the boat in France) as a
VPN client and have the VPN server running on my home LAN somewhere.
I have two Pis already on my home LAN, one of them is a Pi 4, would
that be OK to run Open VPN server?

Does an Open VPN server play nicely with an existing LAN whose DNS and
DHCP is provided by (yet) another Pi on the LAN? I.e. does everything
else work as before locally with just the addition of the remote
system so that it adds itself to the existing LAN?

I'm running OpenVPN with Pi3's in three different locations, and
all are runnning well.

You have to provide proper routing to the server Pi from the public
network. I'm using dyn.com dsynamic DNS services to make the ISP's
DHCP -assigned IP addresses accessible from the outside.

If your OpenVPN machine is not the same as the incoming firewall/router,
you do need port forward from the outside to the OpenVPN machine. The
usual port is UDP/1194.

You have also a need to provide routing from the internal network
to the OpenVPN daemon for the subnet (or host) to tunnel via the VPN.

--

-TV

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Dennis Lee Bieber wrote:

Unless you want the remote system to continuously "phone home" to access your home system, I suspect you need the server to be on the remote R-Pi. It will sit, waiting for an inbound connection request from your home system, so that you can then interact with ITS OS.

If he has several rPis dotted around, and wants to connect to any of
them by SSH, far easier to just get a static IP addr on the home
broadband than dick around with various dynDNS services, just make all
the Pis (or beagles) phone home with a VPN or reverse SSH, all the time.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sun, 27 Dec 2020 19:56:44 -0000 (UTC)
Martin Gregorie <martin@mydomain.invalid> wrote:

On Sun, 27 Dec 2020 18:05:45 +0000, Chris Green wrote:

Dongles are as cheap as chips, it's the M2M SIM that costs.

Not all of 'em by any means - Amazon prices seem to run from 13 quid
to over 160.

More accurately, it's the monthly contract that costs. I'm aware of a
4G SIM with a fixed public IP address that costs about GBP16.00 per
month, with 1GB of data. Data overrun is very expensive. I've seen much
higher prices quoted. There are PAYG versions, but the providers want to
make the same kind of money, so the cost per GB is very high.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:

On 27.12.20 20.04, Chris Green wrote:

druck <news@druck.org.uk> wrote:

On 27/12/2020 15:26, Chris Green wrote:

Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.

Or even better, use OpenVPN to allow the remote device to appear on your >> local network. If your router supports OpenVPN, use that, otherwise run
it on a Raspberry Pi.

Whenever I try to understand how to configure OpenVPN I rapidly get
lost.

Presumably I'd run the remote Pi (the one on the boat in France) as a
VPN client and have the VPN server running on my home LAN somewhere.
I have two Pis already on my home LAN, one of them is a Pi 4, would
that be OK to run Open VPN server?

Does an Open VPN server play nicely with an existing LAN whose DNS and
DHCP is provided by (yet) another Pi on the LAN? I.e. does everything
else work as before locally with just the addition of the remote
system so that it adds itself to the existing LAN?

I'm running OpenVPN with Pi3's in three different locations, and
all are runnning well.

You have to provide proper routing to the server Pi from the public
network. I'm using dyn.com dsynamic DNS services to make the ISP's
DHCP -assigned IP addresses accessible from the outside.

My home desktop/LAN has a static IP so I can open the firewall and
route directly to the Pi running the VPN server.

If your OpenVPN machine is not the same as the incoming firewall/router,
you do need port forward from the outside to the OpenVPN machine. The
usual port is UDP/1194.

You have also a need to provide routing from the internal network
to the OpenVPN daemon for the subnet (or host) to tunnel via the VPN.

Ay? I'm not at all sure what you mean by this.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sun, 27 Dec 2020 18:04:03 +0000, Chris Green <cl@isbd.net> declaimed the following:

Presumably I'd run the remote Pi (the one on the boat in France) as a
VPN client and have the VPN server running on my home LAN somewhere.
I have two Pis already on my home LAN, one of them is a Pi 4, would
that be OK to run Open VPN server?

From https://www.infopackets.com/news/10404/explained-difference-between-vpn-server- and-vpn-service
"""
A VPN server is nothing more than a software program than runs on your
office PC 24 hours a day, waiting for you (the VPN client) to connect to it remotely.
"""

Unless you want the remote system to continuously "phone home" to access your home system, I suspect you need the server to be on the remote R-Pi. It will sit, waiting for an inbound connection request from your home system, so that you can then interact with ITS OS.

"""
Once the connection is made to the VPN server, you would have access to
your office PC files and other resources in the office - just as if you
were physically attached to your office network in person
"""

Of course, that may mean having some sort of internet connection active, with either a fixed-IP or via some dynamic DNS service (which gives
you a fixed domain name, which it then routes to whatever was the last IP# provided it by the remote -- via some periodic daemon or cron job). And requires open ports on the firewall and any router that may be in the way
(I suspect it will be the router that is a problem if using a cellular
module -- the cellular service providers expect the module to initiate
requests out to the internet, not to respond to requests coming in from the internet).

A VPN may not even be needed at this stage. Merely having an SSH server accessible from outside would provide a command-line management interface.
In contrast, a VPN tends to provide an encrypted tunnel allowing the client
to "see" the remote machine as if it were a local display.




--
Wulfraed Dennis Lee Bieber AF6VN
wlfraed@ix.netcom.com http://wlfraed.microdiversity.freeddns.org/

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sun, 27 Dec 2020 20:28:52 +0000
Chris Green <cl@isbd.net> wrote:

Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:

You have also a need to provide routing from the internal network
to the OpenVPN daemon for the subnet (or host) to tunnel via the
VPN.

Ay? I'm not at all sure what you mean by this.

I think what he means is that using a VPN from a single computer
doesn't need any routing changes, but if you want one computer to
handle VPN for other local computers, and the VPN machine is not the
network's default gateway, then you need to tell the other computers
that the VPN computer is the gateway to the distant network. The
simplest way is with a DCHP configuration. I recall using a Win2000
workstation as a VPN server for a remote office and needing to do this.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Joe <joe@jretrading.com> wrote:

On Sun, 27 Dec 2020 20:28:52 +0000
Chris Green <cl@isbd.net> wrote:

Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:

You have also a need to provide routing from the internal network
to the OpenVPN daemon for the subnet (or host) to tunnel via the
VPN.

Ay? I'm not at all sure what you mean by this.

I think what he means is that using a VPN from a single computer
doesn't need any routing changes, but if you want one computer to
handle VPN for other local computers, and the VPN machine is not the network's default gateway, then you need to tell the other computers
that the VPN computer is the gateway to the distant network. The
simplest way is with a DCHP configuration. I recall using a Win2000 workstation as a VPN server for a remote office and needing to do this.

Hmm!! I don't see how that makes sense. 'Using VPN from a single
computer' when the 'single computer' is on a LAN - but then it all
goes to pot doesn't it? Either the computer is on one's LAN or it's
in a VPN with the remote but it can't really do both can it?

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sun, 27 Dec 2020 17:11:49 -0000 (UTC)
crn@nospam.com wrote:

Ahem A Rivet's Shot <steveo@eircom.net> wrote:

On Sun, 27 Dec 2020 15:26:59 +0000
Chris Green <cl@isbd.net> wrote:

Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.

That or tunnel an IPv6 connection in from Hurricane Electric and have a routed /64 to play with (or even a /48).

How much do they charge for the /48 after you get the free tunnel ?

That's free too.

--
Steve O'Hara-Smith | Directable Mirror Arrays C:\>WIN | A better way to focus the sun
The computer obeys and wins. | licences available see
You lose and Bill collects. | http://www.sohara.org/

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Chris Green <cl@isbd.net> wrote:

Joe <joe@jretrading.com> wrote:

On Sun, 27 Dec 2020 20:28:52 +0000
Chris Green <cl@isbd.net> wrote:

Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:

You have also a need to provide routing from the internal network
to the OpenVPN daemon for the subnet (or host) to tunnel via the
VPN.

Ay? I'm not at all sure what you mean by this.

I think what he means is that using a VPN from a single computer
doesn't need any routing changes, but if you want one computer to
handle VPN for other local computers, and the VPN machine is not the network's default gateway, then you need to tell the other computers
that the VPN computer is the gateway to the distant network. The
simplest way is with a DCHP configuration. I recall using a Win2000 workstation as a VPN server for a remote office and needing to do this.

Hmm!! I don't see how that makes sense. 'Using VPN from a single
computer' when the 'single computer' is on a LAN - but then it all
goes to pot doesn't it? Either the computer is on one's LAN or it's
in a VPN with the remote but it can't really do both can it?

Further there is a load of misinformation and worse about VPNs on
Ubuntu, for example (and this is by no means the worst) take a look
at:-

https://thishosting.rocks/how-to-set-up-openvpn-on-ubuntu/

It says you do things like:-

$ SSH root@<IP address>

No Ubuntu system has has a root login for years (if ever)! Not to
mention that the command before for obtaining the IP address is
rubbish. (We'll ignore the uppper case ssh)

Other VPN tutorials are just as bad.

... and how does installing a VPN make my access to the internet more
secure??? It makes access from *my* site A to *my* site B more secure
but not much else.

It really gives me bad vibes about using a VPN.


--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Chris Green <cl@isbd.net> wrote:

Theo <theom+news@chiark.greenend.org.uk> wrote:

Chris Green <cl@isbd.net> wrote:

OK, my current WiFi set up is (as a mobile connection would be) behind
a NAT router and I set up reverse ssh tunnels to allow me to connect
'on demand' to the Pi (BBB). So I can do exactly the same using the
mobile data connection.

Will the mobile provider object to the connection being up all the
time but with virtually no data going through it?

Mobile networks are often quite aggressive at killing idle connections
through their CG-NAT - 30 seconds idle is common, for example. To avoid
that you have to send keepalives, which will gradually consume your data
allowance.

But a keepalive is only a character (or two), even if it sends a TCP
packet as a result that's 1500 bytes. Say 600 keepalives per Mb,
that's only a few Mb per day which shouldn't cost too much.

This depends on the provider. I've been using mobile broadband for
my home internet for years, from various providers. At least one
rounded up the data used over certain connection periods for
charging purposes. Maybe you'll avoid that if the connection never
does go dead, but on the other hand it might trigger regular
round-ups to 1MB just because an open connection gets rounded up
to 1MB every so often by their system.

This is a "try it and see" sort of thing, terms of service
documents can be long and detailed, but often don't actually match
the reality of how their system works. Some providers round up by
KB instead of MB, by the way.

This is based on experience with mobile broadband providers in
Australia only.

--
__ __
#_ < |\| |< _#

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Computer Nerd Kev <not@telling.you.invalid> wrote:

Odds are that the OP isn't in Australia, so I won't bother trying to
dig up the link. But I'm guessing that there would be similar
options in their country if they looked hard enough. Mobile
broadband is now used quite a bit in industry for this sort of
thing.

It used to be that Three (UK), on the 3internet APN, would get you a public (variable) IPv4 address. Using the three.co.uk APN would put you behind
CGNAT. I don't know if that's still the case. I think the public IP still
had some degree of firewalling (so you couldn't run some protocols).

A&A will provide you a fixed IPv4 address on their data SIMs: https://www.aa.net.uk/voice-and-mobile/data-sims/
(appears to use the Three network and AQL's M2M service)

Theo

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 27/12/2020 14:12, David Higton wrote:

If you have no idea of its IP address, then it gets somewhat harder.

By definition on a mobile network its behind a HUGE NAT proxy. Unless
you are supremely lucky and you het an IPV6 address

Yes that's the case for any "normal" account. In Australia there
is/was at least one reseller offering mobile broadband accounts
with a fixed IPv4 address, on either the Telstra or Optus networks.
You paid for it of course, but it wasn't big $$$.

Odds are that the OP isn't in Australia, so I won't bother trying to
dig up the link. But I'm guessing that there would be similar
options in their country if they looked hard enough. Mobile
broadband is now used quite a bit in industry for this sort of
thing.

--
__ __
#_ < |\| |< _#

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 27/12/2020 16:07, Chris Green wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

Start with the assumption that you cant open a connection to a mobile
equpped pi, but 'always on' FROM the pi wont be costly.

So, if one has 'always on' FROM the pi does that then just require
some sort of dynamic dns service to be able to ssh *to* it?

No, not even that will work.

Because that will take you to the ISPS NAT router and there will be no
way to route onward to the Pi.

*Only if the Pi initiates the connection* will the NAT router set up a
mapping between public IP/port and PI IP/port.

Its analogous to your current wifi setup. The Pi will have to be online
and permanently connected in some way to a publiclly accessible server
that you can use as a gateway.

OK, my current WiFi set up is (as a mobile connection would be) behind
a NAT router and I set up reverse ssh tunnels to allow me to connect
'on demand' to the Pi (BBB). So I can do exactly the same using the
mobile data connection.

Will the mobile provider object to the connection being up all the
time but with virtually no data going through it?

That is what any smart phone in your pocket does. Why should it? In
reality all that is going on is keepalive packets going to the cell
tower and probably keepalive packets keeping alive any TCP connection
you have




--
"In our post-modern world, climate science is not powerful because it is
true: it is true because it is powerful."

Lucas Bergkamp

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Computer Nerd Kev <not@telling.you.invalid> wrote:

Chris Green <cl@isbd.net> wrote:

Theo <theom+news@chiark.greenend.org.uk> wrote:

Chris Green <cl@isbd.net> wrote:

OK, my current WiFi set up is (as a mobile connection would be) behind >> > a NAT router and I set up reverse ssh tunnels to allow me to connect
'on demand' to the Pi (BBB). So I can do exactly the same using the
mobile data connection.

Will the mobile provider object to the connection being up all the
time but with virtually no data going through it?

Mobile networks are often quite aggressive at killing idle connections
through their CG-NAT - 30 seconds idle is common, for example. To avoid >> that you have to send keepalives, which will gradually consume your data >> allowance.

But a keepalive is only a character (or two), even if it sends a TCP
packet as a result that's 1500 bytes. Say 600 keepalives per Mb,
that's only a few Mb per day which shouldn't cost too much.

This depends on the provider. I've been using mobile broadband for
my home internet for years, from various providers. At least one
rounded up the data used over certain connection periods for
charging purposes. Maybe you'll avoid that if the connection never
does go dead, but on the other hand it might trigger regular
round-ups to 1MB just because an open connection gets rounded up
to 1MB every so often by their system.

This is a "try it and see" sort of thing, terms of service
documents can be long and detailed, but often don't actually match
the reality of how their system works. Some providers round up by
KB instead of MB, by the way.

This is based on experience with mobile broadband providers in
Australia only.

Yes, absolutely, trying to find the *actual* way they charge is very
often well nigh impossible and they usually don't know themselves (or
at least the people you talk to don't know).

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Computer Nerd Kev <not@telling.you.invalid> wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 27/12/2020 14:12, David Higton wrote:

If you have no idea of its IP address, then it gets somewhat harder.

By definition on a mobile network its behind a HUGE NAT proxy. Unless
you are supremely lucky and you het an IPV6 address

Yes that's the case for any "normal" account. In Australia there
is/was at least one reseller offering mobile broadband accounts
with a fixed IPv4 address, on either the Telstra or Optus networks.
You paid for it of course, but it wasn't big $$$.

Odds are that the OP isn't in Australia, so I won't bother trying to
dig up the link. But I'm guessing that there would be similar
options in their country if they looked hard enough. Mobile
broadband is now used quite a bit in industry for this sort of
thing.

OP here - I'm in the UK but the system this is for will be in France.
So digging out specialist providers and such is one level more
difficult than doing it 'at home'.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sun, 27 Dec 2020 21:34:33 +0000
Chris Green <cl@isbd.net> wrote:

Joe <joe@jretrading.com> wrote:

On Sun, 27 Dec 2020 20:28:52 +0000
Chris Green <cl@isbd.net> wrote:

Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:

You have also a need to provide routing from the internal
network to the OpenVPN daemon for the subnet (or host) to
tunnel via the VPN.

Ay? I'm not at all sure what you mean by this.

I think what he means is that using a VPN from a single computer
doesn't need any routing changes, but if you want one computer to
handle VPN for other local computers, and the VPN machine is not the network's default gateway, then you need to tell the other computers
that the VPN computer is the gateway to the distant network. The
simplest way is with a DCHP configuration. I recall using a Win2000 workstation as a VPN server for a remote office and needing to do
this.

Hmm!! I don't see how that makes sense. 'Using VPN from a single
computer' when the 'single computer' is on a LAN - but then it all
goes to pot doesn't it? Either the computer is on one's LAN or it's
in a VPN with the remote but it can't really do both can it?

Yes, it can. A VPN client behaves as a computer with two (or more)
network interfaces. A single workstation client will by default route
its outgoing packets to its VPN client software for transmission down
the tunnel (obviously except the VPN protocol packets themselves,
which are routed as normal through the computer's hardware network
interface), but the hardware interface can still accept packets from
other local computers, and may be configured to also route some or all
of them into the VPN. It's also obvious why the network address for
local LAN and remote network must be different, having the same network
address on two interfaces of the same computer never works well.

Three VPN scenarios:

1) Default gateway router is a VPN client to a remote network. All
outgoing packets (except the VPN protocol itself) go through the VPN.
All computers using the router automatically use the VPN with no change
in routing necessary.

2) Single workstation is the VPN client. All its packets route through
the VPN. No routing change required. All other computers in the local
LAN unaffected.

3) Computer within the LAN (i.e. not the default gateway) is the VPN
client to the remote network. Other local computers which wish to use
the VPN must treat the VPN client as the gateway to the remote
network(s), so a routing change in the client is required, as well as
enabling IP forwarding in the VPN computer and possibly adjusting its
firewall.

The first and last are 'site-to-site' VPNs, handling multiple clients.
Best done by scenario 1), but can be done by 3) if the gateway cannot
be a client of the VPN type required. Most modern routers can be client
or server to some VPN types e.g. IPSec and PPTP, but not usually
OpenVPN.

Note that many types of VPN (e.g. IPSec and PPTP) can only support one
tunnel between a given pair of IP addresses. OpenVPN can use any port,
so multiple tunnels are allowed, but IPSec and PPTP both use a TCP
control channel and another IP protocol which does not have the concept
of ports. So two or more workstations within the same (NATed) LAN must
use site-to-site to reach the same remote network if using one of these
VPN types.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 27/12/2020 20:28, Chris Green wrote:

Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:

On 27.12.20 20.04, Chris Green wrote:
If your OpenVPN machine is not the same as the incoming firewall/router,
you do need port forward from the outside to the OpenVPN machine. The
usual port is UDP/1194.

You have also a need to provide routing from the internal network
to the OpenVPN daemon for the subnet (or host) to tunnel via the VPN.

Ay? I'm not at all sure what you mean by this.

Here's your network

a) Router
b) OpenVPN server
c) Other local machine(s)

and

d) Remote machine

You need to set up your router so it forwards port UDP/1194 to the IP
address of OpenVPN server (b), as the OpenVPN client on (d) will connect
to the external (WAN) address of (a), and this traffic is handled by (b).

The OpenVPN server on (b) will assign a private subnet for the remote
devices which is different to your local network subnet. When OpenVPN
server is running on the router it will use DHCP to tell the other local machines (c) to route this subnet through it. But if you are using a
separate OpenVPN server (b), you either need to manually add a route to
its DHCP table, or set up the routing on each the other machines (c) so
the remote subnet is routed via (b), rather than defaulting to the router.

That all seemed a lot easier to explain before I started writing this post!

---druck

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 28/12/2020 11:07, Joe wrote:

The first and last are 'site-to-site' VPNs, handling multiple clients.
Best done by scenario 1), but can be done by 3) if the gateway cannot
be a client of the VPN type required. Most modern routers can be client
or server to some VPN types e.g. IPSec and PPTP, but not usually
OpenVPN.

Asus router support OpenVPN client and server out of the box. Any router supported by OpenWrt is also OK.

---druck

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Chris Green wrote:

OP here - I'm in the UK but the system this is for will be in France.
So digging out specialist providers and such is one level more
difficult than doing it 'at home'.

I have my parents in another country and they use linux PC. I and they have dynamic IP.

I have setup DDNS with no-ip.org at home and have a physical PC (industrial Geode from 2007) that I use as firewall and VPN (with OpenVPN). On the
modem I configured forwarding of all traffic to the FW. On my parents PC I
have a script that checks a URL on my home apache server (vie the DDNS)
that simply replies with YES or NO. If YES it starts the OpenVPN on the
remote (my parents) PC and connects to my FW if NO it stops the VPN on the remote PC. Then when connected, I use the VPN IP to connect to their PC in
the VPN network.

Same can be achieved with mobile network - there are hubs with SIM cards to provide internet in regions where there is no fast internet connection, or simply to carry with you and use anywhere. The process would be the same because what matters is the DDNS and your VPN. As soon the client connects
to the server you can access the client over the VPN IP. As it was stated
you have to "push" the routes from/to your local network.

So you say you are located in the UK and have a local network with, let's
say, 192.168.1.0/24. Your VPN has 10.1.1.0/24. The OpenVPN will push a
route to the client in France to the gateway in 192.168.1.0 and route the traffic from 10.1.1.0 to 192.168.1.0. This way you can access anything on 10.1.1.0 from 192.168.1.0.

I got tired following the whole thread ... the described setup is a common practice and I do not understand why so many posts. Forgive me if I
repeated or misunderstood something.

I do not know what was mentioned regarding OpenVPN setup, but it took me a while to understand how it works. I choose certificate based
authentication. So I had to create and deploy certificates for and to the clients I use. This way the client can connect without providing password.

Another use of this is when I travel - from the companies Windows Notebook
or my linux notebook I can connect on demand to the VPN at home. This setup
is more than 10y old - I'm not sure but I think I did it in 2008 or 2009 - never failed - except be careful when you update the system of course :)

regards

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

druck <news@druck.org.uk> wrote:

On 28/12/2020 11:07, Joe wrote:

The first and last are 'site-to-site' VPNs, handling multiple clients.
Best done by scenario 1), but can be done by 3) if the gateway cannot
be a client of the VPN type required. Most modern routers can be client
or server to some VPN types e.g. IPSec and PPTP, but not usually
OpenVPN.

Asus router support OpenVPN client and server out of the box. Any router supported by OpenWrt is also OK.

If a router 'supports VPN' what does that actually mean?

Presumably it doesn't mean that the router runs as a VPN server, or
does it?

If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful? ... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?


--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Mon, 28 Dec 2020 12:46:56 +0000
Chris Green <cl@isbd.net> wrote:

druck <news@druck.org.uk> wrote:

Asus router support OpenVPN client and server out of the box. Any
router supported by OpenWrt is also OK.

If a router 'supports VPN' what does that actually mean?

There are many varieties of VPN using different protocols OpenVPN
is just one of them (other common ones are IPSec and PPTP), many consider
it the best of them.

Presumably it doesn't mean that the router runs as a VPN server, or
does it?

It might depending on what support is on the router - nearly all routers will act as PPTP client not so many as anything else. As mentioned above Asus and routers running OpenWrt support OpenVPN both as client and server.

If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful? ... and what

I could be wrong but I'm pretty sure the Draytek routers only
support being a PPTP client so that they can connect you to a corporate
VPN. To be certain you'd have to look in the Draytek documentation.

--
Steve O'Hara-Smith | Directable Mirror Arrays C:\>WIN | A better way to focus the sun
The computer obeys and wins. | licences available see
You lose and Bill collects. | http://www.sohara.org/

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

The Natural Philosopher wrote to Joe <=-

It's a common requirement, and the magic codeword is 'M2M' (machine to machine). You'll probably need to go to a specialist SIM provider, the average high-street phone shop salesman won't have a clue what you're talking about.

That I did NOT know. That simplifies everything

We have a handful of T-Mobile 4G hotspots, and that service is
$5/month, if memory serves. It's a great deal for what possibilities
it opens up.



... Are there sections? Consider transitions
--- MultiMail/XT v0.52
* Origin: http://realitycheckbbs.org | tomorrow's retro tech (1:218/700)

Martin Gregorie wrote to Chris Green <=-

IOW it does about the same job as the wifi link on a Pi 3, 4 or Zero W except that it preferentially connects to a 3G or 4G base station
rather than to the nearest wifi router.

Getting the carrier to provision them properly may be tough. I have a
Thinkpad laptop with a SIM slot for a Gobi card, but if I slot in a
working GSM sim, it doesn't work. Don't know if they're locked to a
specific carrier or need to be provisioned differently to work.

kurt weiske | kweiske at realitycheckbbs dot org
| http://realitycheckbbs.org
| 1:218/700@fidonet




--- MultiMail/XT v0.52
* Origin: http://realitycheckbbs.org | tomorrow's retro tech (1:218/700)

Chris Green <cl@isbd.net> wrote:

OP here - I'm in the UK but the system this is for will be in France.
So digging out specialist providers and such is one level more
difficult than doing it 'at home'.

Just a thought, but have you considered using SMS to ask the remote end to initiate the connection?

You send a text saying 'wake up now', the boat receives it, 'dials' a 3G/LTE connection and connects to your VPN (or SSH tunnel). Now you can access it. After a while of inactivity it drops the connection and goes back to sleep.

If the duty cycle is low (eg you connect for 5 minutes a week) it could work out cheaper than having an always-on VPN connection that's consuming traffic
in keepalives.

That also means you can use any SIM you like, so pick whatever tariff suits you.

Typically, dongles provide multiple USB-UART channels - one for the PPP data connection, another for signal stats and SMS, maybe a third for something
else (GPS?). I don't know the best framework for handling the SMS side, but
at the least something polling it with AT commands would do.

Theo

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Mon, 28 Dec 2020 08:37:00 +1300, Kurt Weiske wrote:

Getting the carrier to provision them properly may be tough. I have a
Thinkpad laptop with a SIM slot for a Gobi card, but if I slot in a
working GSM sim, it doesn't work. Don't know if they're locked to a
specific carrier or need to be provisioned differently to work.

Fair comment. The only GSM dongle I've tried or needed to try, back in
2004, came with a Vodafone sim. However, it turned out that I was in a
not-spot where the dongle would connect, but couldn't transfer data.

Fortunately, I was able to send it back and get a refund.

BTW, the program I used to access the dongle on an old Lenovo running Red
Hat Linux 7.1 (that dates it!), gcom, was a command-line utility that
executed a user-modifiable script to connect to the network and manage
data transfers. I don't know if its still around or needed, but the documentation was excellent and all in its manpage.


--
--
Martin | martin at
Gregorie | gregorie dot org

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Kurt Weiske wrote:

We have a handful of T-Mobile 4G hotspots, and that service is
$5/month, if memory serves.

That actually sounds reasonable. Whenever I come across a non-free
hotspot around here it's something like 5$ per hour. I'm never sure
whether it's me losing his mind and going off the rocker or they are.


--
/�\ No | Dipl.-Ing. F. Axel Berger Tel: +49/ 221/ 7771 8067
\ / HTML | Roald-Amundsen-Stra�e 2a Fax: +49/ 221/ 7771 8069
�X in | D-50829 K�ln-Ossendorf http://berger-odenthal.de
/ \ Mail | -- No unannounced, large, binary attachments, please! --

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Mon, 28 Dec 2020 12:46:56 +0000
Chris Green <cl@isbd.net> wrote:

druck <news@druck.org.uk> wrote:

On 28/12/2020 11:07, Joe wrote:

The first and last are 'site-to-site' VPNs, handling multiple
clients. Best done by scenario 1), but can be done by 3) if the
gateway cannot be a client of the VPN type required. Most modern
routers can be client or server to some VPN types e.g. IPSec and
PPTP, but not usually OpenVPN.

Asus router support OpenVPN client and server out of the box. Any
router supported by OpenWrt is also OK.

If a router 'supports VPN' what does that actually mean?

There are two levels: first is to pass the VPN protocol at all, in
either direction. This isn't relevant to OpenVPN, but some other types
of VPN use two channels like FTP. Like FTP, they require a conntrack
module in the stateful firewall to associate the two channels, to allow
one to pass when only the other has been seen by the firewall. I've
seen routers that supposedly have 'PPTP passthrough' which do not, in
fact, do it correctly. VPNs are an afterthought to router
manufacturers. Draytek was always notable for having better VPN
implementations than most other makes at a comparable price.

Secondly there is actual VPN client or server support, often described
as 'VPN endpoint'.

Presumably it doesn't mean that the router runs as a VPN server, or
does it?

At the second level, yes.

If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful?

It depends on the type of VPN. Some like OpenVPN are normally secured
by certificates, some just by password. They will often need a key at
both ends for use in the symmetrical encryption. Asymmetrical encryption
can be provided by the certificate, but that is generally too slow to
have a decent performance.

... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?

If the router is the endpoint, then all the LAN is potentially
available to the client. If the router has a decent firewall user
interface, then access can be tailored so that only certain LAN
computers are visible. Ideally the router should connect to the LAN via
a separate firewall computer running iptables or nftables, which allow
very fine-grained control in forwarding. Of course, the LAN computer
firewalls can also permit packets on only certain ports when arriving
from the router.

... and how do I connect a remote system to the VPN?

Give the VPN client the public IP address or hostname, and tell it to
connect. Network Manager works fairly well these days, and has plugins
for some VPNs. Obviously arrange for the client to have any keys or certificates it requires. It is wise to have human intervention required
e.g. to have a private key encrypted with a good passphrase which is not entrusted to the VPN client, so if the key becomes compromised it can
be cancelled and replaced without much risk of intrusion. I keep
OpenVPN, ssh and other keys on a USB stick in my wallet, so even if I
lose a laptop, my home network is still safe, and if I lose the wallet,
the encryption passphrase isn't stored on the stick.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Re: Re: Simplest 3G/4G connection for Pi, must work headless and stand-alo
By: Chris Green to druck on Mon Dec 28 2020 12:46 pm

If a router 'supports VPN' what does that actually mean?

Presumably it doesn't mean that the router runs as a VPN server, or
does it?

If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful? ... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?

VPN capable routers are used mainly for enterprise /small businesses.

The idea is that you have an office in Berlin with LAN A, and an office in Washington with LAN B. You configure your routers to establish a virtual private network between them so both LANS are merged (sort of).

ie:

LAN A has subnet 192.168.10.0/

LAN B has 192.168.20.0/

The router generated VPN makes it so a computer in LAN A can use a network printer with ip 192.168.20.5 in LAN B, access a file server which is not allowed traffic to the open internet at 192.168.20.11 (LAN B) etc as if both networks where directlñy connected, instead of separated by the whole Internet. In fact the connection between the two networks is encrypted and thus
deemed private.

This is the most common scenario that you find documented for VPN enabled routers, followed by the road-warrior setup (you use VPN in order to allow a laptop using an insecure LAN connect to your office in Berlin and access resources in LAN A as if the laptop was in Berlin's office).

--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.11-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (1:123/115)

Joe <joe@jretrading.com> wrote:

If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful?

It depends on the type of VPN. Some like OpenVPN are normally secured
by certificates, some just by password. They will often need a key at
both ends for use in the symmetrical encryption. Asymmetrical encryption
can be provided by the certificate, but that is generally too slow to
have a decent performance.

I guess that's part of my issue with all this. I don't need speed,
all I need is something fast enough to handle interactive terminal
usage. Neither do I need security, the remote system has no personal information on it at all, the only data to be stolen is temperatures,
voltages and other measurements on my boat.

All I need is a reliable piece of wet string between me and the SBC on
the boat. :-)

... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?

If the router is the endpoint, then all the LAN is potentially
available to the client. If the router has a decent firewall user
interface, then access can be tailored so that only certain LAN
computers are visible. Ideally the router should connect to the LAN via
a separate firewall computer running iptables or nftables, which allow
very fine-grained control in forwarding. Of course, the LAN computer firewalls can also permit packets on only certain ports when arriving
from the router.

I don't need or want any of that, the remote machine doesn't need to
be able to see my home LAN at all, it's the other direction I need.

... and how do I connect a remote system to the VPN?

Give the VPN client the public IP address or hostname, and tell it to connect. Network Manager works fairly well these days, and has plugins
for some VPNs.

It's a headless system so command line only and I want it to be able
to boot up into a connected state without any local interaction.

Obviously arrange for the client to have any keys or certificates it requires. It is wise to have human intervention required
e.g. to have a private key encrypted with a good passphrase which is not entrusted to the VPN client, so if the key becomes compromised it can
be cancelled and replaced without much risk of intrusion. I keep
OpenVPN, ssh and other keys on a USB stick in my wallet, so even if I
lose a laptop, my home network is still safe, and if I lose the wallet,
the encryption passphrase isn't stored on the stick.

Yes, VPNs aren't really designed for what I want to do are they!

It's possible to use a VPN to get to what I want but it's hardly the obvious/ideal way to do it.

I think in reality my existing setup (behind a WiFi NAT firewall)
using ssh tunnels is much closer to what I need than a VPN. It'll
work just as well behind a 3G/4G router that's NAT'ted.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Richard Falken <nospam.Richard.Falken@f1.n770.z6212.fidonet.org> wrote:

Re: Re: Simplest 3G/4G connection for Pi, must work headless and stand-alo
By: Chris Green to druck on Mon Dec 28 2020 12:46 pm

If a router 'supports VPN' what does that actually mean?

Presumably it doesn't mean that the router runs as a VPN server, or
does it?

If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful? ... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?

VPN capable routers are used mainly for enterprise /small businesses.

The idea is that you have an office in Berlin with LAN A, and an office in Washington with LAN B. You configure your routers to establish a virtual private network between them so both LANS are merged (sort of).

ie:

LAN A has subnet 192.168.10.0/

LAN B has 192.168.20.0/

The router generated VPN makes it so a computer in LAN A can use a network printer with ip 192.168.20.5 in LAN B, access a file server which is not allowed traffic to the open internet at 192.168.20.11 (LAN B) etc as if both networks where directl??y connected, instead of separated by the whole Internet. In fact the connection between the two networks is encrypted and

thus

deemed private.

This is the most common scenario that you find documented for VPN enabled routers, followed by the road-warrior setup (you use VPN in order to allow a laptop using an insecure LAN connect to your office in Berlin and access resources in LAN A as if the laptop was in Berlin's office).

Thanks for that beautifully clear explanation, it's this sort of thing
that is *far* from obvious when you look at how tos for VPNs.

I guess it's the 'road-warrior setup' is nearest to what I want to do
though in reality the 'insecure LAN' involved is just one computer.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Chris Green <cl@isbd.net> wrote:

Neither do I need security, the remote system has no personal
information on it at all, the only data to be stolen is temperatures, voltages and other measurements on my boat.

You do need security, to prevent it from being taken over by a
botnet/hacker and getting you banned from the network. Also if you have a
vpn connection, it's effectively on your home lan.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

A. Dumas <alexandre@dumas.fr.invalid> wrote:

Chris Green <cl@isbd.net> wrote:

Neither do I need security, the remote system has no personal
information on it at all, the only data to be stolen is temperatures, voltages and other measurements on my boat.

You do need security, to prevent it from being taken over by a
botnet/hacker and getting you banned from the network.

To prevent what "from being taken over by a botnet/hacker"? If they
break into my boat and have access to the computer there then there's absolutely nothing that using a VPN will prevent. As I've said it has
to be capable of restarting with the connection in place without my interaction. A VPN doesn't help in the slightest as far as I can see.

Also if you have a
vpn connection, it's effectively on your home lan.

Exactly the problem, I don't need this at all. I want communication
in the other direction only.

Getting back to my original requirement:-

I want to communicate *from* my home system to a headless SBC.

The headless SBC (Pi or whatever) can connect to the internet but
it's almost certainly going to be behind a NAT/firewall of some
sort.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Richard Falken <nospam.Richard.Falken@f1.n770.z6212.fidonet.org> wrote:

The idea is that you have an office in Berlin with LAN A, and an office in Washington with LAN B. You configure your routers to establish a virtual private network between them so both LANS are merged (sort of).

ie:
LAN A has subnet 192.168.10.0/
LAN B has 192.168.20.0/

Yes, and this is a nice gotcha if you want to connect two networks behind
the same type of modem/from one isp; they are bound to use the same subnet, just their default settings; so the vpn connection won't work. I had this
once on different modems/isp's; apparently 192.168.178.0 is a popular
choice. Solution is to give one of them a different subnet.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 28/12/2020 16:53, Theo wrote:

Chris Green <cl@isbd.net> wrote:

OP here - I'm in the UK but the system this is for will be in France.
So digging out specialist providers and such is one level more
difficult than doing it 'at home'.

Just a thought, but have you considered using SMS to ask the remote end to initiate the connection?

How does a Pi receive SMS?

How does a phone receive SMS if it isn't 'always on'

I don't know the best framework for handling the SMS side, but
at the least something polling it with AT commands would do.

because its always on?



--
“when things get difficult you just have to lie”

― Jean Claud Jüncker

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On a sunny day (Tue, 29 Dec 2020 09:59:11 +0000) it happened Chris Green <cl@isbd.net> wrote in <f8brbh-qhf2.ln1@esprimo.zbmc.eu>:

I guess that's part of my issue with all this. I don't need speed,
all I need is something fast enough to handle interactive terminal
usage. Neither do I need security, the remote system has no personal >information on it at all, the only data to be stolen is temperatures, >voltages and other measurements on my boat.

All I need is a reliable piece of wet string between me and the SBC on
the boat. :-)

Depends on your programing skills
I wrote
smsio.c
http://panteltje.com/panteltje/newsflex/download.html#smsio
it receives SMS with a Huawei 3G/4G modem and then executes a script (that you will need to write to do things).
In that script (up to you) you should parse for YOUR phone number and some commands (like "knock out pirates" or "stop motor").

The other way around, from boat to your phone via SMS, I wrote the script 'ssms'
it is part of xgpspc:
http://panteltje.com/panteltje/xgpspc/index.html
scroll down to
Anchor drift and water in boat alarm with SMS and PMR radio alert

Very basically it works like this, raspi measures things like GPS location, water level in bilge, some other things, compares it to some setpoints,
and sends SMS to your phone every 15 minutes if an error condition persists.
It can notify over radio too if needed.

You can repy to that SMS from your phone with an other SMS with some predefined commands as shown above.

But anyways ssms (send SMS part of xgpspc) is like this:
#!/bin/bash

# ssms
# sends SMS message to a Huawei G3 USB stick, stick must be in data mode with usb_modeswitch

let error=0

if [ "$1" == "" ]
then
let error=1
fi

if [ "$2" == "" ]
then
let error=1
fi

if [ "$3" == "" ]
then
let error=1
fi

if [ "$4" == "" ]
then
let error=1
fi

if [ $error == "1" ]
then
echo "Usage:"
echo "ssms PIN phone_number device_name message"

echo "Example:"
echo "ssms 1234 31612345678 /dev/ttyUSB4 \"hello there\""

echo " WARNING ssms WILL NOT WARN IF WRONG PIN IS ENTERED!!!!"
exit 1
fi

# For now we ignore any response from the USB modem
# so if it does not work you don't know why.

# send PIN
echo -en "AT+CPIN=\"$1\"\r" > $3
sleep 1

# request text mode
echo -en "AT+CMGF=1\r" >> $3 sleep 1

# send phone number
echo -en "AT+CMGS=\"+$2\"\r" >> $3
sleep 1

# send SMS message 0, terminated with ctrl Z
echo -en "$4\x1a\r" >> $3

echo "ready SMS send"

exit 0



This then runs on your boat with whatever data you want to send,

When nothing out of the ordinary happens no SMS is sent.

Not sure this helps, is more for programmers....

Some pseudo code:

while true
do
measure water_level
if( water_level >= up to chin)
ssms PIN YOUR_PHONENUMBER /dev/ttyUSB1 \"blub blub blub\"
sleep 10*60
done

while true
do
measure GPS_position
if(distance GPS_position - anchor_GPS_position >= 20 meter)
ssms PIN YOUR_PHONENUMBER /dev/ttyUSB1 \"adrift at $GPS_position\"
sleep 10*60
done

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Am 29.12.2020 um 11:28 schrieb A. Dumas:

... apparently 192.168.178.0 is a popular choice ...

Yes, it is the standard default on AVM Fritzbox, the de-facto standard
internet modem+router in Germany.

Stumbled once over this when trying out VPNs between my network and my parents...

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 27/12/2020 19:34, Kurt Weiske wrote:

The Natural Philosopher wrote to Joe <=-

> It's a common requirement, and the magic codeword is 'M2M' (machine to
> machine). You'll probably need to go to a specialist SIM provider, the
> average high-street phone shop salesman won't have a clue what you're
> talking about.

TNP> That I did NOT know. That simplifies everything

We have a handful of T-Mobile 4G hotspots, and that service is
$5/month, if memory serves. It's a great deal for what possibilities
it opens up.

Indeed it is,

I wouldnt mkind having e.g. a streaming wildlife camera down te garden,
out of wifi range



--
There is something fascinating about science. One gets such wholesale
returns of conjecture out of such a trifling investment of fact.

Mark Twain

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Re: Re: Simplest 3G/4G connection for Pi, must work headless and stand-alo
By: Chris Green to Richard Falken on Tue Dec 29 2020 09:43 am

I just had a crazy idea.

Why don't you set a Tor or I2P hidden service for the service running on your boat?

You can set an i2p node in your Raspberry, and it will work even if the mobile connection the raspberry uses is behind Carrier Grade NAT or whatever have you.

Your i2p node can get an i2p address assigned. Then you can access it using an i2p client from anywhere in the world.

Advantage: easy to deploy.
Disadvantage: You need to install i2p in any machine you want to access the raspberry from.
Disadvantage 2: It has a bandwidth overhead, so it may damage your bills if they charge you for data volumes.
Disadvantage 3: Lag is going to be bad, specially is your mobile signal is bad quality. If the mobile signal is reeeeally bad then this approach becomes unusable in practice.
--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.11-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (1:123/115)

Op 29-12-2020 om 11:46 schreef Chris Green:

A. Dumas <alexandre@dumas.fr.invalid> wrote:

Chris Green <cl@isbd.net> wrote:

Neither do I need security, the remote system has no personal
information on it at all, the only data to be stolen is temperatures,
voltages and other measurements on my boat.

You do need security, to prevent it from being taken over by a
botnet/hacker and getting you banned from the network.

To prevent what "from being taken over by a botnet/hacker"? If they
break into my boat and have access to the computer there then there's absolutely nothing that using a VPN will prevent.

To prevent the Raspberry Pi (or Beagle Bone or whatever) from being
taken over. It isn't about protecting your humidity sensor readings,
it's to prevent it becoming part of a botnet used for sending spam or
DDOS attacks. Admittedly a very low chance, they mainly target always-on
office Windows PC's, but still worth considering, I think, to prevent it
being cut off by the network owner. And, you know, to be a decent netizen.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 29-12-2020 13:37, Axel Berger wrote:

Richard Falken wrote:

followed by the road-warrior setup

There is a third common useage, the one I use frequently:
I VPN to the universtity library and go to a publisher's website. The publisher sees my university IP-address and recognizes me as authorized
to access his content.

It is this that allows me to work from home.

This is ~exactly how the general public now knows "vpn": to pretend to
be from a different country and circumvent geoblocks on content.
Unfortunately, but perhaps inherently, these are often dodgy services.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Richard Falken wrote:

followed by the road-warrior setup

There is a third common useage, the one I use frequently:
I VPN to the universtity library and go to a publisher's website. The
publisher sees my university IP-address and recognizes me as authorized
to access his content.

It is this that allows me to work from home.


--
/�\ No | Dipl.-Ing. F. Axel Berger Tel: +49/ 221/ 7771 8067
\ / HTML | Roald-Amundsen-Stra�e 2a Fax: +49/ 221/ 7771 8069
�X in | D-50829 K�ln-Ossendorf http://berger-odenthal.de
/ \ Mail | -- No unannounced, large, binary attachments, please! --

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Axel Berger <Spam@berger-odenthal.de> wrote:

Richard Falken wrote:

followed by the road-warrior setup

There is a third common useage, the one I use frequently:
I VPN to the universtity library and go to a publisher's website. The publisher sees my university IP-address and recognizes me as authorized
to access his content.

I do that by using a simple proxy setup, one-liner ssh command,
configure Firefox to use the proxy and it's done.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 29/12/2020 13:06, A. Dumas wrote:

On 29-12-2020 13:37, Axel Berger wrote:

Richard Falken wrote:

followed by the road-warrior setup

There is a third common useage, the one I use frequently:
I VPN to the universtity library and go to a publisher's website. The
publisher sees my university IP-address and recognizes me as authorized
to access his content.

It is this that allows me to work from home.

This is ~exactly how the general public now knows "vpn": to pretend to
be from a different country and circumvent geoblocks on content. Unfortunately, but perhaps inherently, these are often dodgy services.

What the content providers? Yep the UK's BBC (boy buggering communists
as we call em )are distinctly dodgy ....and you need a VPN or some sort
of proxy to access them from overseas.


--
"In our post-modern world, climate science is not powerful because it is
true: it is true because it is powerful."

Lucas Bergkamp

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Mon, 28 Dec 2020 14:01:00 +0100, Deloptes <deloptes@gmail.com> wrote:

I do not know what was mentioned regarding OpenVPN setup, but it took me a while to understand how it works. I choose certificate based
authentication. So I had to create and deploy certificates for and to the clients I use. This way the client can connect without providing password.

Nowadays it's easy to set up a VPN server with
PiVPN <https://pivpn.io/>

It supports both WireGuard and OpenVPN. The installation
is "guided", so it's almost impossible to forget a step.

Warning: Wireguard is great, but often still breaks after
apt update/upgrade, so for now I prefer OpenVPN.

--
Regards,
Kees Nuyt

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Chris Green wrote:

I do that by using a simple proxy setup, one-liner ssh command,
configure Firefox to use the proxy and it's done.

It's me, there's a lot I don't know about networks, but I do not
understand that sentence at all, not one little bit.


--
/�\ No | Dipl.-Ing. F. Axel Berger Tel: +49/ 221/ 7771 8067
\ / HTML | Roald-Amundsen-Stra�e 2a Fax: +49/ 221/ 7771 8069
�X in | D-50829 K�ln-Ossendorf http://berger-odenthal.de
/ \ Mail | -- No unannounced, large, binary attachments, please! --

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 28/12/2020 12:46, Chris Green wrote:

If a router 'supports VPN' what does that actually mean?

Presumably it doesn't mean that the router runs as a VPN server, or
does it?

Yes, decent routers such as the ASUS range (I'm currently using a
RT-ac86u), have built in VPN clients (PPTP, L2TP and OpenVPN) and severs
(PPTP, OpenVPN and IPSec VPN).

If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful? ... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?

If your router supports a VPN server, everything on your LAN works as it
does now say on 192.168.1.x but there will be an extra subnet say
192.168.2.x on which any devices connected to the VPN will appear on.
For those external devices they will think they are part of the
192.168.1.x LAN.

When you create your VPN on the router, it will export a configuration
text file, which you use with your OpenVPN client. Depending on the
router this will either be usable as is (as my ASUS was) or need a
little editing (some clients need it split in to config, key and cert
files).

---druck

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 29 Dec 2020 10:28:14 GMT
A. Dumas <alexandre@dumas.fr.invalid> wrote:

Richard Falken <nospam.Richard.Falken@f1.n770.z6212.fidonet.org>
wrote:

The idea is that you have an office in Berlin with LAN A, and an
office in Washington with LAN B. You configure your routers to
establish a virtual private network between them so both LANS are
merged (sort of).

ie:
LAN A has subnet 192.168.10.0/
LAN B has 192.168.20.0/

Yes, and this is a nice gotcha if you want to connect two networks
behind the same type of modem/from one isp; they are bound to use the
same subnet, just their default settings; so the vpn connection won't
work. I had this once on different modems/isp's; apparently
192.168.178.0 is a popular choice. Solution is to give one of them a different subnet.

I've never seen that one, most default networks I've seen have been
192.168.0., 192.168.1. or 192.168.254. Occasionally 192.168.16.

But it should be a matter of course to change a new router's network to something fairly random, when you change the admin password. No, you (or
your mother) don't want to use a VPN now, but one day you might.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Kees Nuyt wrote to Deloptes <=-

Nowadays it's easy to set up a VPN server with
PiVPN <https://pivpn.io/>

Many appliance routers can run DD-WRT or OpenWRT, and it can act as a
OpenVPN client or server. I'm about to order a Pi, though, and PiVPN
looks like a nice tool to use instead - and to get familiar with the
Pi.

The one thing I've been trying to figure out is how to use OpenVPN to
route selected traffic through a local node but route the rest over
the internet. Netflix doesn't like VPNs, and I want to be able to get
local TV stations outside of my area with an app that limits
available channels to your local area. I'm hoping it's easier to set
up than with DD-WRT.

kurt weiske | kweiske at realitycheckbbs dot org
| http://realitycheckbbs.org
| 1:218/700@fidonet




... Discover your formulas and abandon them
--- MultiMail/XT v0.52
* Origin: http://realitycheckbbs.org | tomorrow's retro tech (1:218/700)

Axel Berger wrote to Chris Green <=-

Chris Green wrote:

I do that by using a simple proxy setup, one-liner ssh command,
configure Firefox to use the proxy and it's done.

It's me, there's a lot I don't know about networks, but I do not understand that sentence at all, not one little bit.

The SSH protocol allows for port forwarding, which allows network
traffic to be routed over it. Connect via SSH to one of the machines
in your university, configure SSH port forwarding, and with a little
work all web traffic will go over the ssh tunnel to your university
and appear to come from your university instead of your home.

It's a little deep to try and explain off the top of my head, there
are a lot of tutorials on the web that'll explain it better than I
can.

kurt weiske | kweiske at realitycheckbbs dot org
poindexter fortran | pfortran at realitycheckbbs dot org
| http://realitycheckbbs.org
| 1:218/700@fidonet






... Discover your formulas and abandon them
--- MultiMail/XT v0.52
* Origin: http://realitycheckbbs.org | tomorrow's retro tech (1:218/700)

Kurt Weiske <nospam.Kurt.Weiske@f1.n770.z16309.fidonet.org> wrote:

Kees Nuyt wrote to Deloptes <=-

Nowadays it's easy to set up a VPN server with
PiVPN <https://pivpn.io/>

Many appliance routers can run DD-WRT or OpenWRT, and it can act as a
OpenVPN client or server. I'm about to order a Pi, though, and PiVPN
looks like a nice tool to use instead - and to get familiar with the
Pi.

The one thing I've been trying to figure out is how to use OpenVPN to
route selected traffic through a local node but route the rest over
the internet. Netflix doesn't like VPNs, and I want to be able to get
local TV stations outside of my area with an app that limits
available channels to your local area. I'm hoping it's easier to set
up than with DD-WRT.

I think a proxy would be easier, if you have some sort of presence in
the required area of course.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Kurt Weiske <nospam.Kurt.Weiske@f1.n770.z16310.fidonet.org> wrote:

Axel Berger wrote to Chris Green <=-

Chris Green wrote:

I do that by using a simple proxy setup, one-liner ssh command,
configure Firefox to use the proxy and it's done.

It's me, there's a lot I don't know about networks, but I do not understand that sentence at all, not one little bit.

The SSH protocol allows for port forwarding, which allows network
traffic to be routed over it. Connect via SSH to one of the machines
in your university, configure SSH port forwarding, and with a little
work all web traffic will go over the ssh tunnel to your university
and appear to come from your university instead of your home.

It's a little deep to try and explain off the top of my head, there
are a lot of tutorials on the web that'll explain it better than I
can.

In my case I often use it when I'm in France because my library and my
doctor both require a uk 'user'. So, on my laptop in France I simply
do:-

ssh -C2qTnN -D 8080 <somewhere where I have an ssh login in the UK>

Then in firefox Network Settings simply tell it to use port 8080 as
the proxy address, job done!

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Kurt Weiske wrote:

Connect via SSH to one of the machines
in your university, configure SSH port forwarding, and with a little
work all web traffic will go over the ssh tunnel to your university
and appear to come from your university instead of your home.

Not for me then. Our university offers a VPN for all students but I have
no access to any of its actual computers.


--
/�\ No | Dipl.-Ing. F. Axel Berger Tel: +49/ 221/ 7771 8067
\ / HTML | Roald-Amundsen-Stra�e 2a Fax: +49/ 221/ 7771 8069
�X in | D-50829 K�ln-Ossendorf http://berger-odenthal.de
/ \ Mail | -- No unannounced, large, binary attachments, please! --

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)