Are there any simple 3G/4G add-ons for a Pi that will allow it to
power up into a mode where it has the ability to be connected to via
the mobile data connection?
I want a system that I can connect to from my home desktop/laptop on
demand.
Sort of 'thinking out loud' about this:-
I suppose a USB 3G/4G dongle could provide the hardware required
to make a mobile connection to the PI, recommendations?
It has to 'connect on demand' dialling *to* the Pi, it can't keep
the line open all the time, very expensive!
So, is there software for Linux (and thus for the Pi) which will
handle incoming calls to allow ssh login?
How does one manage the other end? Is there Linux desktop
software to allow one to dial up a remote system and then squirt
ssh down the connection?
Any/all ideas would be very welcome.
I'm happy with fairly low-level stuff, I am a retired software
engineer, grew up with Unix (solaris) command line and I'm also quite
into home-build electronics projects.
Are there any simple 3G/4G add-ons for a Pi that will allow it to power up into a mode where it has the ability to be connected to via the mobile data connection?
I want a system that I can connect to from my home desktop/laptop on
demand.
Sort of 'thinking out loud' about this:-
I suppose a USB 3G/4G dongle could provide the hardware required
to make a mobile connection to the PI, recommendations?
It has to 'connect on demand' dialling *to* the Pi, it can't keep
the line open all the time, very expensive!
So, is there software for Linux (and thus for the Pi) which will
handle incoming calls to allow ssh login?
How does one manage the other end? Is there Linux desktop
software to allow one to dial up a remote system and then squirt
ssh down the connection?
Any/all ideas would be very welcome.
I'm happy with fairly low-level stuff, I am a retired software engineer,
grew up with Unix (solaris) command line and I'm also quite into home-build electronics projects.
Are there any simple 3G/4G add-ons for a Pi that will allow it to
power up into a mode where it has the ability to be connected to via
the mobile data connection?
I want a system that I can connect to from my home desktop/laptop on
demand.
Sort of 'thinking out loud' about this:-
I suppose a USB 3G/4G dongle could provide the hardware required
to make a mobile connection to the PI, recommendations?
It has to 'connect on demand' dialling *to* the Pi, it can't keep
the line open all the time, very expensive!
So, is there software for Linux (and thus for the Pi) which will
handle incoming calls to allow ssh login?
How does one manage the other end? Is there Linux desktop
software to allow one to dial up a remote system and then squirt
ssh down the connection?
Any/all ideas would be very welcome.
I'm happy with fairly low-level stuff, I am a retired software
engineer, grew up with Unix (solaris) command line and I'm also quite
into home-build electronics projects.
On 27/12/2020 12:42, Chris Green wrote:
Are there any simple 3G/4G add-ons for a Pi that will allow it to
power up into a mode where it has the ability to be connected to via
the mobile data connection?
I want a system that I can connect to from my home desktop/laptop on demand.
Sort of 'thinking out loud' about this:-
I suppose a USB 3G/4G dongle could provide the hardware required
to make a mobile connection to the PI, recommendations?
It has to 'connect on demand' dialling *to* the Pi, it can't keep
the line open all the time, very expensive!
Why? a smart phone sim is a charge per gigabyte, They are always on for
data!
So, is there software for Linux (and thus for the Pi) which will
handle incoming calls to allow ssh login?
Just use an IP capable dongle forget about 'incoming calls' and ssh
riught in. Biggest problem will be on what IP address you appear,
How does one manage the other end? Is there Linux desktop
software to allow one to dial up a remote system and then squirt
ssh down the connection?
3G/4G is not 'dial up!
Any/all ideas would be very welcome.
Look I think you have got the wrong end of the stick about how mobile IP works...where is this pi going to be? Do you have a fixed IP address on
your ISP interface?
Its almost impossible to set up a mobile connection to receive
unsolicited IP. The mobile provider will absolutely do massive NAT. So
you need the Pi to be always online and connected to something that you
can contact, and the figure out a way to hijack the link. Just running keepalive packets wont break the bank.
sshing in wont be trivial but without knowing what you want to do with
the pi its hard to say whether you need to,. For example just polling a webserver the pi could detect a request for data and uplaod it to the webserver where you could download it., Even to the point of downloading
a command line off the server executing it on the pi and sending stdout
back to the server...
I'm happy with fairly low-level stuff, I am a retired software
engineer, grew up with Unix (solaris) command line and I'm also quite
into home-build electronics projects.
Start with the assumption that you cant open a connection to a mobile
equpped pi, but 'always on' FROM the pi wont be costly.
"Chris Green" <cl@isbd.net> wrote in message news:83cmbh-3vl4.ln1@esprimo.zbmc.eu...
Are there any simple 3G/4G add-ons for a Pi that will allow it to
power up into a mode where it has the ability to be connected to via
the mobile data connection?
I want a system that I can connect to from my home desktop/laptop on demand.
Sort of 'thinking out loud' about this:-
I suppose a USB 3G/4G dongle could provide the hardware required
to make a mobile connection to the PI, recommendations?
It has to 'connect on demand' dialling *to* the Pi, it can't keep
the line open all the time, very expensive!
So, is there software for Linux (and thus for the Pi) which will
handle incoming calls to allow ssh login?
How does one manage the other end? Is there Linux desktop
software to allow one to dial up a remote system and then squirt
ssh down the connection?
Any/all ideas would be very welcome.
I'm happy with fairly low-level stuff, I am a retired software
engineer, grew up with Unix (solaris) command line and I'm also quite
into home-build electronics projects.
As I understand it, data connections (as opposed to voice connections) are permanently on and don't accrue connection charges. You get a standard
amount of data per month that can be transferred over the connection, which varies according to the tariff.
So you need a USB mobile data device and a SIM with a suitable data tariff. Then you need a means of connecting to the Pi, in the same way that you
would if it was connected by Ethernet/wifi to your home network. VNC Server on the Pi and VNC Client on the computers that will connect to the Pi will give you a remote desktop. There maybe ways of doing it with PuTTY or other ssh terminal apps, though I'm not sure how those handle you being connected by a public WAN rather than LAN: I've only used Juice SSH on my mobile phone for connecting to my Pi over my private LAN.
Since you will be running the Pi headless, one little hint (in case you haven't discovered this already) with the Pi 4: you need to tell the Pi to boot even if it can't find a monitor connected by HDMI and to set the video mode which would normally be negotiated between Pi and monitor at boot time.
Are there any simple 3G/4G add-ons for a Pi that will allow it to
power up into a mode where it has the ability to be connected to via
the mobile data connection?
So does just trying to connect *to* the device which has the data sim
dongle wake up the connection?
It means one needs a dynamic DNS
service but that's not a big problem.
In message <83cmbh-3vl4.ln1@esprimo.zbmc.eu>
Chris Green <cl@isbd.net> wrote:
Are there any simple 3G/4G add-ons for a Pi that will allow it to power up >> into a mode where it has the ability to be connected to via the mobile data >> connection?
I want a system that I can connect to from my home desktop/laptop on
demand.
Sort of 'thinking out loud' about this:-
I suppose a USB 3G/4G dongle could provide the hardware required
to make a mobile connection to the PI, recommendations?
It has to 'connect on demand' dialling *to* the Pi, it can't keep
the line open all the time, very expensive!
So, is there software for Linux (and thus for the Pi) which will
handle incoming calls to allow ssh login?
How does one manage the other end? Is there Linux desktop
software to allow one to dial up a remote system and then squirt
ssh down the connection?
Any/all ideas would be very welcome.
I'm happy with fairly low-level stuff, I am a retired software engineer,
grew up with Unix (solaris) command line and I'm also quite into home-build >> electronics projects.
It seems very much to me that this depends on whether the Pi can have
a fixed IP address, or be behind a router that supports Dynamic DNS.
If either of those is true, you can ssh to it easily.
If you have no idea of its IP address, then it gets somewhat harder.
Tell us a bit more about the Pi's connectivity, and we may be able to
help you more.
David
The Natural Philosopher <tnp@invalid.invalid> wrote:
Just use an IP capable dongle forget about 'incoming calls' and ssh
riught in. Biggest problem will be on what IP address you appear,
Yes, as I said it needs a dynamic DNS service but that's all.
if the 4G connection is down, there's no remote way you canBut all-in-all, I think I'd just nail the VPN and/or 4G up all the time.
you could do something custom like sending an SMS to
the dongle [...] and have
something running on the Pi to bring up the 4G connection
The Natural Philosopher <tnp@invalid.invalid> wrote:
On 27/12/2020 12:42, Chris Green wrote:So does just trying to connect *to* the device which has the data sim
Are there any simple 3G/4G add-ons for a Pi that will allow it to
power up into a mode where it has the ability to be connected to via
the mobile data connection?
I want a system that I can connect to from my home desktop/laptop on
demand.
Sort of 'thinking out loud' about this:-
I suppose a USB 3G/4G dongle could provide the hardware required
to make a mobile connection to the PI, recommendations?
It has to 'connect on demand' dialling *to* the Pi, it can't keep
the line open all the time, very expensive!
Why? a smart phone sim is a charge per gigabyte, They are always on for
data!
dongle wake up the connection? It means one needs a dynamic DNS
service but that's not a big problem.
Yes, as I said it needs a dynamic DNS service but that's all.Just use an IP capable dongle forget about 'incoming calls' and ssh
So, is there software for Linux (and thus for the Pi) which will
handle incoming calls to allow ssh login?
riught in. Biggest problem will be on what IP address you appear,
I probably have got it all wrong! The Pi is actually a BeagleboneHow does one manage the other end? Is there Linux desktop3G/4G is not 'dial up!
software to allow one to dial up a remote system and then squirt
ssh down the connection?
Any/all ideas would be very welcome.
Look I think you have got the wrong end of the stick about how mobile IP
works...where is this pi going to be? Do you have a fixed IP address on
your ISP interface?
Black but that's irrelevant.
All I want to do is be able to use ssh to connect *to* the BBB from
home computers which have an internet connection. The BBB doesn't
have WiFi available.
Its almost impossible to set up a mobile connection to receiveCurrently it uses (rather flaky) marina WiFi and sets up ssh reverse
unsolicited IP. The mobile provider will absolutely do massive NAT. So
you need the Pi to be always online and connected to something that you
can contact, and the figure out a way to hijack the link. Just running
keepalive packets wont break the bank.
tunnels by connecting to an intermediate system so that I can then
connect *to* it via the intermediate system.
I am looking for something more reliable.
sshing in wont be trivial but without knowing what you want to do withSo, if one has 'always on' FROM the pi does that then just require
the pi its hard to say whether you need to,. For example just polling a
webserver the pi could detect a request for data and uplaod it to the
webserver where you could download it., Even to the point of downloading
a command line off the server executing it on the pi and sending stdout
back to the server...
I'm happy with fairly low-level stuff, I am a retired softwareStart with the assumption that you cant open a connection to a mobile
engineer, grew up with Unix (solaris) command line and I'm also quite
into home-build electronics projects.
equpped pi, but 'always on' FROM the pi wont be costly.
some sort of dynamic dns service to be able to ssh *to* it?
Chris Green wrote:
So does just trying to connect *to* the device which has the data sim dongle wake up the connection?
A *little* bit more than that, a lot of 4G dongles still pretend to be modems, using e.g. ATDT*99# command to "dial" the connection, no
dialling takes place, but it's a convenient lie to allow a PPP daemon to bring up the 4G connection and get an IP addr etc.
It means one needs a dynamic DNS
service but that's not a big problem.
That'll work, provided your mobile provider gives you a public IP
address, not a private one that's NATed.
On Sun, 27 Dec 2020 14:27:46 +0000
Chris Green <cl@isbd.net> wrote:
The Natural Philosopher <tnp@invalid.invalid> wrote:
Just use an IP capable dongle forget about 'incoming calls' and sshYes, as I said it needs a dynamic DNS service but that's all.
riught in. Biggest problem will be on what IP address you appear,
It is possible to get a fixed, public IP address on a 4G SIM, but it
takes a bit of finding. Even then, the actual IP address is dynamic and private, but the 4G operator runs a NAT server to accept calls on a
fixed public address and route them to the SIM.
It's a common requirement, and the magic codeword is 'M2M' (machine to machine). You'll probably need to go to a specialist SIM provider, the average high-street phone shop salesman won't have a clue what you're
talking about.
Chris Green wrote:thats a very very big IF.
So does just trying to connect *to* the device which has the data sim
dongle wake up the connection?
A *little* bit more than that, a lot of 4G dongles still pretend to be modems, using e.g. ATDT*99# command to "dial" the connection, no
dialling takes place, but it's a convenient lie to allow a PPP daemon to bring up the 4G connection and get an IP addr etc.
It means one needs a dynamic DNS
service but that's not a big problem.
That'll work, provided your mobile provider gives you a public IP
address, not a private one that's NATed.
Chris Green wrote:
Are there any simple 3G/4G add-ons for a Pi that will allow it to
power up into a mode where it has the ability to be connected to via
the mobile data connection?
Not really, if the 4G connection is down, there's no remote way you can
ask it to come up, you could do something custom like sending an SMS to
the dongle (if the SIM supports SMS in addition to data) and have
something running on the Pi to bring up the 4G connection in response
(and maybe text you back the IP address it has)
The other possible wrinkle is that even with the 4G connection up, it
may be using CGNAT which doesn't allow inbound TCP connections, just outbound, so again you might homebrew something that brings up a VPN
tunnel from the Pi end over the 4G, then you can connect though the
tunnel ...
Andy Burns <usenet@andyburns.uk> wrote:
Chris Green wrote:
So does just trying to connect *to* the device which has the data sim
dongle wake up the connection?
A *little* bit more than that, a lot of 4G dongles still pretend to be
modems, using e.g. ATDT*99# command to "dial" the connection, no
dialling takes place, but it's a convenient lie to allow a PPP daemon to
bring up the 4G connection and get an IP addr etc.
It means one needs a dynamic DNS
service but that's not a big problem.
That'll work, provided your mobile provider gives you a public IP
address, not a private one that's NATed.
Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.
On 27/12/2020 15:08, Joe wrote:
On Sun, 27 Dec 2020 14:27:46 +0000
Chris Green <cl@isbd.net> wrote:
The Natural Philosopher <tnp@invalid.invalid> wrote:
Just use an IP capable dongle forget about 'incoming calls' and sshYes, as I said it needs a dynamic DNS service but that's all.
riught in. Biggest problem will be on what IP address you appear,
It is possible to get a fixed, public IP address on a 4G SIM, but it
takes a bit of finding. Even then, the actual IP address is dynamic and private, but the 4G operator runs a NAT server to accept calls on a
fixed public address and route them to the SIM.
It's a common requirement, and the magic codeword is 'M2M' (machine to machine). You'll probably need to go to a specialist SIM provider, the average high-street phone shop salesman won't have a clue what you're talking about.
That I did NOT know. That simplifies everything
Start with the assumption that you cant open a connection to a mobileSo, if one has 'always on' FROM the pi does that then just require
equpped pi, but 'always on' FROM the pi wont be costly.
some sort of dynamic dns service to be able to ssh *to* it?
No, not even that will work.
Because that will take you to the ISPS NAT router and there will be no
way to route onward to the Pi.
*Only if the Pi initiates the connection* will the NAT router set up a mapping between public IP/port and PI IP/port.
Its analogous to your current wifi setup. The Pi will have to be online
and permanently connected in some way to a publiclly accessible server
that you can use as a gateway.
On 27/12/2020 14:49, Andy Burns wrote:
Chris Green wrote:
So does just trying to connect *to* the device which has the data sim
dongle wake up the connection?
A *little* bit more than that, a lot of 4G dongles still pretend to be modems, using e.g. ATDT*99# command to "dial" the connection, no
dialling takes place, but it's a convenient lie to allow a PPP daemon to bring up the 4G connection and get an IP addr etc.
It means one needs a dynamic DNS
service but that's not a big problem.
That'll work, provided your mobile provider gives you a public IPthats a very very big IF.
address, not a private one that's NATed.
I run a few public websites and trawl through the logs have happened
when they have been DOSed
All IP ranges from mobile devices have been NATed. It is extremely rare
to find *anyone* actually not behind a NAT router - some big companies.
Obviously if YOU control the NAT router not the mobile ISP, and THAT has
a fixed IP address you can set up an inbound connection but not many
people do.
The Natural Philosopher <tnp@invalid.invalid> wrote:
On 27/12/2020 15:08, Joe wrote:I think it's quite expensive (M2M that is).
On Sun, 27 Dec 2020 14:27:46 +0000 Chris Green <cl@isbd.net> wrote:That I did NOT know. That simplifies everything
The Natural Philosopher <tnp@invalid.invalid> wrote:It is possible to get a fixed, public IP address on a 4G SIM, but it
Just use an IP capable dongle forget about 'incoming calls' and sshYes, as I said it needs a dynamic DNS service but that's all.
riught in. Biggest problem will be on what IP address you appear,
takes a bit of finding. Even then, the actual IP address is dynamic
and private, but the 4G operator runs a NAT server to accept calls on
a fixed public address and route them to the SIM.
It's a common requirement, and the magic codeword is 'M2M' (machine
to machine). You'll probably need to go to a specialist SIM provider,
the average high-street phone shop salesman won't have a clue what
you're talking about.
Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.
IOW it does about the same job as the wifi link on a Pi 3, 4 or Zero W
except that it preferentially connects to a 3G or 4G base station rather
than to the nearest wifi router.
OK, my current WiFi set up is (as a mobile connection would be) behind
a NAT router and I set up reverse ssh tunnels to allow me to connect
'on demand' to the Pi (BBB). So I can do exactly the same using the
mobile data connection.
Will the mobile provider object to the connection being up all the
time but with virtually no data going through it?
Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.
On Sun, 27 Dec 2020 15:26:59 +0000
Chris Green <cl@isbd.net> wrote:
Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.
That or tunnel an IPv6 connection in from Hurricane Electric and
have a routed /64 to play with (or even a /48).
On Sun, 27 Dec 2020 16:02:27 +0000, Chris Green wrote:
I think it's quite expensive (M2M that is).
Nah, 3G/4G dongles are only as expensive as you want to make them.
On Sun, 27 Dec 2020 16:02:27 +0000, Chris Green wrote:
The Natural Philosopher <tnp@invalid.invalid> wrote:
On 27/12/2020 15:08, Joe wrote:I think it's quite expensive (M2M that is).
On Sun, 27 Dec 2020 14:27:46 +0000 Chris Green <cl@isbd.net> wrote:That I did NOT know. That simplifies everything
The Natural Philosopher <tnp@invalid.invalid> wrote:It is possible to get a fixed, public IP address on a 4G SIM, but it
Just use an IP capable dongle forget about 'incoming calls' and sshYes, as I said it needs a dynamic DNS service but that's all.
riught in. Biggest problem will be on what IP address you appear,
takes a bit of finding. Even then, the actual IP address is dynamic
and private, but the 4G operator runs a NAT server to accept calls on
a fixed public address and route them to the SIM.
It's a common requirement, and the magic codeword is 'M2M' (machine
to machine). You'll probably need to go to a specialist SIM provider,
the average high-street phone shop salesman won't have a clue what
you're talking about.
Nah, 3G/4G dongles are only as expensive as you want to make them.
On 27/12/2020 15:26, Chris Green wrote:
Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.
Or even better, use OpenVPN to allow the remote device to appear on your local network. If your router supports OpenVPN, use that, otherwise run
it on a Raspberry Pi.
Chris Green <cl@isbd.net> wrote:
OK, my current WiFi set up is (as a mobile connection would be) behind
a NAT router and I set up reverse ssh tunnels to allow me to connect
'on demand' to the Pi (BBB). So I can do exactly the same using the
mobile data connection.
Will the mobile provider object to the connection being up all the
time but with virtually no data going through it?
Mobile networks are often quite aggressive at killing idle connections through their CG-NAT - 30 seconds idle is common, for example. To avoid
that you have to send keepalives, which will gradually consume your data allowance.
Martin Gregorie <martin@mydomain.invalid> wrote:
On Sun, 27 Dec 2020 16:02:27 +0000, Chris Green wrote:Dongles are as cheap as chips, it's the M2M SIM that costs.
The Natural Philosopher <tnp@invalid.invalid> wrote:
On 27/12/2020 15:08, Joe wrote:I think it's quite expensive (M2M that is).
On Sun, 27 Dec 2020 14:27:46 +0000 Chris Green <cl@isbd.net>That I did NOT know. That simplifies everything
wrote:
The Natural Philosopher <tnp@invalid.invalid> wrote:It is possible to get a fixed, public IP address on a 4G SIM, but
Just use an IP capable dongle forget about 'incoming calls' andYes, as I said it needs a dynamic DNS service but that's all.
ssh riught in. Biggest problem will be on what IP address you
appear,
it takes a bit of finding. Even then, the actual IP address is
dynamic and private, but the 4G operator runs a NAT server to
accept calls on a fixed public address and route them to the SIM.
It's a common requirement, and the magic codeword is 'M2M'
(machine to machine). You'll probably need to go to a specialist
SIM provider,
the average high-street phone shop salesman won't have a clue what
you're talking about.
Nah, 3G/4G dongles are only as expensive as you want to make them.
druck <news@druck.org.uk> wrote:
On 27/12/2020 15:26, Chris Green wrote:Whenever I try to understand how to configure OpenVPN I rapidly get
Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.
Or even better, use OpenVPN to allow the remote device to appear on your
local network. If your router supports OpenVPN, use that, otherwise run
it on a Raspberry Pi.
lost.
Presumably I'd run the remote Pi (the one on the boat in France) as a
VPN client and have the VPN server running on my home LAN somewhere.
I have two Pis already on my home LAN, one of them is a Pi 4, would
that be OK to run Open VPN server?
Does an Open VPN server play nicely with an existing LAN whose DNS and
DHCP is provided by (yet) another Pi on the LAN? I.e. does everything
else work as before locally with just the addition of the remote
system so that it adds itself to the existing LAN?
Unless you want the remote system to continuously "phone home" to access your home system, I suspect you need the server to be on the remote R-Pi. It will sit, waiting for an inbound connection request from your home system, so that you can then interact with ITS OS.
On Sun, 27 Dec 2020 18:05:45 +0000, Chris Green wrote:
Dongles are as cheap as chips, it's the M2M SIM that costs.
Not all of 'em by any means - Amazon prices seem to run from 13 quid
to over 160.
On 27.12.20 20.04, Chris Green wrote:
druck <news@druck.org.uk> wrote:
On 27/12/2020 15:26, Chris Green wrote:Whenever I try to understand how to configure OpenVPN I rapidly get
Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.
Or even better, use OpenVPN to allow the remote device to appear on your >> local network. If your router supports OpenVPN, use that, otherwise run
it on a Raspberry Pi.
lost.
Presumably I'd run the remote Pi (the one on the boat in France) as a
VPN client and have the VPN server running on my home LAN somewhere.
I have two Pis already on my home LAN, one of them is a Pi 4, would
that be OK to run Open VPN server?
Does an Open VPN server play nicely with an existing LAN whose DNS and
DHCP is provided by (yet) another Pi on the LAN? I.e. does everything
else work as before locally with just the addition of the remote
system so that it adds itself to the existing LAN?
I'm running OpenVPN with Pi3's in three different locations, and
all are runnning well.
You have to provide proper routing to the server Pi from the public
network. I'm using dyn.com dsynamic DNS services to make the ISP's
DHCP -assigned IP addresses accessible from the outside.
If your OpenVPN machine is not the same as the incoming firewall/router,
you do need port forward from the outside to the OpenVPN machine. The
usual port is UDP/1194.
You have also a need to provide routing from the internal network
to the OpenVPN daemon for the subnet (or host) to tunnel via the VPN.
Presumably I'd run the remote Pi (the one on the boat in France) as a
VPN client and have the VPN server running on my home LAN somewhere.
I have two Pis already on my home LAN, one of them is a Pi 4, would
that be OK to run Open VPN server?
Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:
You have also a need to provide routing from the internal networkAy? I'm not at all sure what you mean by this.
to the OpenVPN daemon for the subnet (or host) to tunnel via the
VPN.
On Sun, 27 Dec 2020 20:28:52 +0000
Chris Green <cl@isbd.net> wrote:
Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:
You have also a need to provide routing from the internal networkAy? I'm not at all sure what you mean by this.
to the OpenVPN daemon for the subnet (or host) to tunnel via the
VPN.
I think what he means is that using a VPN from a single computer
doesn't need any routing changes, but if you want one computer to
handle VPN for other local computers, and the VPN machine is not the network's default gateway, then you need to tell the other computers
that the VPN computer is the gateway to the distant network. The
simplest way is with a DCHP configuration. I recall using a Win2000 workstation as a VPN server for a remote office and needing to do this.
Ahem A Rivet's Shot <steveo@eircom.net> wrote:
On Sun, 27 Dec 2020 15:26:59 +0000
Chris Green <cl@isbd.net> wrote:
Or I can do what I already do out through the marina WiFi, set up
reverse ssh tunnels. That might actually be the way to do it anyway
as it avoids the need for dynamic DNS.
That or tunnel an IPv6 connection in from Hurricane Electric and have a routed /64 to play with (or even a /48).
How much do they charge for the /48 after you get the free tunnel ?
Joe <joe@jretrading.com> wrote:
On Sun, 27 Dec 2020 20:28:52 +0000
Chris Green <cl@isbd.net> wrote:
Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:
You have also a need to provide routing from the internal networkAy? I'm not at all sure what you mean by this.
to the OpenVPN daemon for the subnet (or host) to tunnel via the
VPN.
I think what he means is that using a VPN from a single computer
doesn't need any routing changes, but if you want one computer to
handle VPN for other local computers, and the VPN machine is not the network's default gateway, then you need to tell the other computers
that the VPN computer is the gateway to the distant network. The
simplest way is with a DCHP configuration. I recall using a Win2000 workstation as a VPN server for a remote office and needing to do this.
Hmm!! I don't see how that makes sense. 'Using VPN from a single
computer' when the 'single computer' is on a LAN - but then it all
goes to pot doesn't it? Either the computer is on one's LAN or it's
in a VPN with the remote but it can't really do both can it?
Theo <theom+news@chiark.greenend.org.uk> wrote:
Chris Green <cl@isbd.net> wrote:But a keepalive is only a character (or two), even if it sends a TCP
OK, my current WiFi set up is (as a mobile connection would be) behind
a NAT router and I set up reverse ssh tunnels to allow me to connect
'on demand' to the Pi (BBB). So I can do exactly the same using the
mobile data connection.
Will the mobile provider object to the connection being up all the
time but with virtually no data going through it?
Mobile networks are often quite aggressive at killing idle connections
through their CG-NAT - 30 seconds idle is common, for example. To avoid
that you have to send keepalives, which will gradually consume your data
allowance.
packet as a result that's 1500 bytes. Say 600 keepalives per Mb,
that's only a few Mb per day which shouldn't cost too much.
Odds are that the OP isn't in Australia, so I won't bother trying to
dig up the link. But I'm guessing that there would be similar
options in their country if they looked hard enough. Mobile
broadband is now used quite a bit in industry for this sort of
thing.
On 27/12/2020 14:12, David Higton wrote:
If you have no idea of its IP address, then it gets somewhat harder.
By definition on a mobile network its behind a HUGE NAT proxy. Unless
you are supremely lucky and you het an IPV6 address
The Natural Philosopher <tnp@invalid.invalid> wrote:
OK, my current WiFi set up is (as a mobile connection would be) behindNo, not even that will work.Start with the assumption that you cant open a connection to a mobileSo, if one has 'always on' FROM the pi does that then just require
equpped pi, but 'always on' FROM the pi wont be costly.
some sort of dynamic dns service to be able to ssh *to* it?
Because that will take you to the ISPS NAT router and there will be no
way to route onward to the Pi.
*Only if the Pi initiates the connection* will the NAT router set up a
mapping between public IP/port and PI IP/port.
Its analogous to your current wifi setup. The Pi will have to be online
and permanently connected in some way to a publiclly accessible server
that you can use as a gateway.
a NAT router and I set up reverse ssh tunnels to allow me to connect
'on demand' to the Pi (BBB). So I can do exactly the same using the
mobile data connection.
Will the mobile provider object to the connection being up all the
time but with virtually no data going through it?
Chris Green <cl@isbd.net> wrote:
Theo <theom+news@chiark.greenend.org.uk> wrote:
Chris Green <cl@isbd.net> wrote:But a keepalive is only a character (or two), even if it sends a TCP
OK, my current WiFi set up is (as a mobile connection would be) behind >> > a NAT router and I set up reverse ssh tunnels to allow me to connect
'on demand' to the Pi (BBB). So I can do exactly the same using the
mobile data connection.
Will the mobile provider object to the connection being up all the
time but with virtually no data going through it?
Mobile networks are often quite aggressive at killing idle connections
through their CG-NAT - 30 seconds idle is common, for example. To avoid >> that you have to send keepalives, which will gradually consume your data >> allowance.
packet as a result that's 1500 bytes. Say 600 keepalives per Mb,
that's only a few Mb per day which shouldn't cost too much.
This depends on the provider. I've been using mobile broadband for
my home internet for years, from various providers. At least one
rounded up the data used over certain connection periods for
charging purposes. Maybe you'll avoid that if the connection never
does go dead, but on the other hand it might trigger regular
round-ups to 1MB just because an open connection gets rounded up
to 1MB every so often by their system.
This is a "try it and see" sort of thing, terms of service
documents can be long and detailed, but often don't actually match
the reality of how their system works. Some providers round up by
KB instead of MB, by the way.
This is based on experience with mobile broadband providers in
Australia only.
The Natural Philosopher <tnp@invalid.invalid> wrote:
On 27/12/2020 14:12, David Higton wrote:
If you have no idea of its IP address, then it gets somewhat harder.
By definition on a mobile network its behind a HUGE NAT proxy. Unless
you are supremely lucky and you het an IPV6 address
Yes that's the case for any "normal" account. In Australia there
is/was at least one reseller offering mobile broadband accounts
with a fixed IPv4 address, on either the Telstra or Optus networks.
You paid for it of course, but it wasn't big $$$.
Odds are that the OP isn't in Australia, so I won't bother trying to
dig up the link. But I'm guessing that there would be similar
options in their country if they looked hard enough. Mobile
broadband is now used quite a bit in industry for this sort of
thing.
Joe <joe@jretrading.com> wrote:
On Sun, 27 Dec 2020 20:28:52 +0000
Chris Green <cl@isbd.net> wrote:
Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:
You have also a need to provide routing from the internalAy? I'm not at all sure what you mean by this.
network to the OpenVPN daemon for the subnet (or host) to
tunnel via the VPN.
I think what he means is that using a VPN from a single computerHmm!! I don't see how that makes sense. 'Using VPN from a single
doesn't need any routing changes, but if you want one computer to
handle VPN for other local computers, and the VPN machine is not the network's default gateway, then you need to tell the other computers
that the VPN computer is the gateway to the distant network. The
simplest way is with a DCHP configuration. I recall using a Win2000 workstation as a VPN server for a remote office and needing to do
this.
computer' when the 'single computer' is on a LAN - but then it all
goes to pot doesn't it? Either the computer is on one's LAN or it's
in a VPN with the remote but it can't really do both can it?
Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:
On 27.12.20 20.04, Chris Green wrote:Ay? I'm not at all sure what you mean by this.
If your OpenVPN machine is not the same as the incoming firewall/router,
you do need port forward from the outside to the OpenVPN machine. The
usual port is UDP/1194.
You have also a need to provide routing from the internal network
to the OpenVPN daemon for the subnet (or host) to tunnel via the VPN.
The first and last are 'site-to-site' VPNs, handling multiple clients.
Best done by scenario 1), but can be done by 3) if the gateway cannot
be a client of the VPN type required. Most modern routers can be client
or server to some VPN types e.g. IPSec and PPTP, but not usually
OpenVPN.
OP here - I'm in the UK but the system this is for will be in France.
So digging out specialist providers and such is one level more
difficult than doing it 'at home'.
On 28/12/2020 11:07, Joe wrote:
The first and last are 'site-to-site' VPNs, handling multiple clients.
Best done by scenario 1), but can be done by 3) if the gateway cannot
be a client of the VPN type required. Most modern routers can be client
or server to some VPN types e.g. IPSec and PPTP, but not usually
OpenVPN.
Asus router support OpenVPN client and server out of the box. Any router supported by OpenWrt is also OK.
druck <news@druck.org.uk> wrote:
Asus router support OpenVPN client and server out of the box. Any
router supported by OpenWrt is also OK.
If a router 'supports VPN' what does that actually mean?
Presumably it doesn't mean that the router runs as a VPN server, or
does it?
If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful? ... and what
The Natural Philosopher wrote to Joe <=-
It's a common requirement, and the magic codeword is 'M2M' (machine to machine). You'll probably need to go to a specialist SIM provider, the average high-street phone shop salesman won't have a clue what you're talking about.
That I did NOT know. That simplifies everything
Martin Gregorie wrote to Chris Green <=-
IOW it does about the same job as the wifi link on a Pi 3, 4 or Zero W except that it preferentially connects to a 3G or 4G base station
rather than to the nearest wifi router.
OP here - I'm in the UK but the system this is for will be in France.
So digging out specialist providers and such is one level more
difficult than doing it 'at home'.
Getting the carrier to provision them properly may be tough. I have a
Thinkpad laptop with a SIM slot for a Gobi card, but if I slot in a
working GSM sim, it doesn't work. Don't know if they're locked to a
specific carrier or need to be provisioned differently to work.
We have a handful of T-Mobile 4G hotspots, and that service is
$5/month, if memory serves.
druck <news@druck.org.uk> wrote:
On 28/12/2020 11:07, Joe wrote:
The first and last are 'site-to-site' VPNs, handling multiple
clients. Best done by scenario 1), but can be done by 3) if the
gateway cannot be a client of the VPN type required. Most modern
routers can be client or server to some VPN types e.g. IPSec and
PPTP, but not usually OpenVPN.
Asus router support OpenVPN client and server out of the box. Any
router supported by OpenWrt is also OK.
If a router 'supports VPN' what does that actually mean?
Presumably it doesn't mean that the router runs as a VPN server, or
does it?
If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful?
... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?
... and how do I connect a remote system to the VPN?
If a router 'supports VPN' what does that actually mean?
Presumably it doesn't mean that the router runs as a VPN server, or
does it?
If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful? ... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?
If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful?
It depends on the type of VPN. Some like OpenVPN are normally secured
by certificates, some just by password. They will often need a key at
both ends for use in the symmetrical encryption. Asymmetrical encryption
can be provided by the certificate, but that is generally too slow to
have a decent performance.
... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?
If the router is the endpoint, then all the LAN is potentially
available to the client. If the router has a decent firewall user
interface, then access can be tailored so that only certain LAN
computers are visible. Ideally the router should connect to the LAN via
a separate firewall computer running iptables or nftables, which allow
very fine-grained control in forwarding. Of course, the LAN computer firewalls can also permit packets on only certain ports when arriving
from the router.
... and how do I connect a remote system to the VPN?
Give the VPN client the public IP address or hostname, and tell it to connect. Network Manager works fairly well these days, and has plugins
for some VPNs.
Obviously arrange for the client to have any keys or certificates it requires. It is wise to have human intervention required
e.g. to have a private key encrypted with a good passphrase which is not entrusted to the VPN client, so if the key becomes compromised it can
be cancelled and replaced without much risk of intrusion. I keep
OpenVPN, ssh and other keys on a USB stick in my wallet, so even if I
lose a laptop, my home network is still safe, and if I lose the wallet,
the encryption passphrase isn't stored on the stick.
Re: Re: Simplest 3G/4G connection for Pi, must work headless and stand-alothus
By: Chris Green to druck on Mon Dec 28 2020 12:46 pm
If a router 'supports VPN' what does that actually mean?
Presumably it doesn't mean that the router runs as a VPN server, or
does it?
If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful? ... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?
VPN capable routers are used mainly for enterprise /small businesses.
The idea is that you have an office in Berlin with LAN A, and an office in Washington with LAN B. You configure your routers to establish a virtual private network between them so both LANS are merged (sort of).
ie:
LAN A has subnet 192.168.10.0/
LAN B has 192.168.20.0/
The router generated VPN makes it so a computer in LAN A can use a network printer with ip 192.168.20.5 in LAN B, access a file server which is not allowed traffic to the open internet at 192.168.20.11 (LAN B) etc as if both networks where directl??y connected, instead of separated by the whole Internet. In fact the connection between the two networks is encrypted and
deemed private.
This is the most common scenario that you find documented for VPN enabled routers, followed by the road-warrior setup (you use VPN in order to allow a laptop using an insecure LAN connect to your office in Berlin and access resources in LAN A as if the laptop was in Berlin's office).
Neither do I need security, the remote system has no personal
information on it at all, the only data to be stolen is temperatures, voltages and other measurements on my boat.
Chris Green <cl@isbd.net> wrote:
Neither do I need security, the remote system has no personal
information on it at all, the only data to be stolen is temperatures, voltages and other measurements on my boat.
You do need security, to prevent it from being taken over by a
botnet/hacker and getting you banned from the network.
Also if you have a
vpn connection, it's effectively on your home lan.
The idea is that you have an office in Berlin with LAN A, and an office in Washington with LAN B. You configure your routers to establish a virtual private network between them so both LANS are merged (sort of).
ie:
LAN A has subnet 192.168.10.0/
LAN B has 192.168.20.0/
Chris Green <cl@isbd.net> wrote:
OP here - I'm in the UK but the system this is for will be in France.
So digging out specialist providers and such is one level more
difficult than doing it 'at home'.
Just a thought, but have you considered using SMS to ask the remote end to initiate the connection?
I don't know the best framework for handling the SMS side, but
at the least something polling it with AT commands would do.
I guess that's part of my issue with all this. I don't need speed,
all I need is something fast enough to handle interactive terminal
usage. Neither do I need security, the remote system has no personal >information on it at all, the only data to be stolen is temperatures, >voltages and other measurements on my boat.
All I need is a reliable piece of wet string between me and the SBC on
the boat. :-)
... apparently 192.168.178.0 is a popular choice ...
The Natural Philosopher wrote to Joe <=-
> It's a common requirement, and the magic codeword is 'M2M' (machine to
> machine). You'll probably need to go to a specialist SIM provider, the
> average high-street phone shop salesman won't have a clue what you're
> talking about.
TNP> That I did NOT know. That simplifies everything
We have a handful of T-Mobile 4G hotspots, and that service is
$5/month, if memory serves. It's a great deal for what possibilities
it opens up.
A. Dumas <alexandre@dumas.fr.invalid> wrote:
Chris Green <cl@isbd.net> wrote:
Neither do I need security, the remote system has no personal
information on it at all, the only data to be stolen is temperatures,
voltages and other measurements on my boat.
You do need security, to prevent it from being taken over by a
botnet/hacker and getting you banned from the network.
To prevent what "from being taken over by a botnet/hacker"? If they
break into my boat and have access to the computer there then there's absolutely nothing that using a VPN will prevent.
Richard Falken wrote:
followed by the road-warrior setup
There is a third common useage, the one I use frequently:
I VPN to the universtity library and go to a publisher's website. The publisher sees my university IP-address and recognizes me as authorized
to access his content.
It is this that allows me to work from home.
followed by the road-warrior setup
Richard Falken wrote:
followed by the road-warrior setup
There is a third common useage, the one I use frequently:
I VPN to the universtity library and go to a publisher's website. The publisher sees my university IP-address and recognizes me as authorized
to access his content.
On 29-12-2020 13:37, Axel Berger wrote:
Richard Falken wrote:
followed by the road-warrior setup
There is a third common useage, the one I use frequently:
I VPN to the universtity library and go to a publisher's website. The
publisher sees my university IP-address and recognizes me as authorized
to access his content.
It is this that allows me to work from home.
This is ~exactly how the general public now knows "vpn": to pretend to
be from a different country and circumvent geoblocks on content. Unfortunately, but perhaps inherently, these are often dodgy services.
I do not know what was mentioned regarding OpenVPN setup, but it took me a while to understand how it works. I choose certificate based
authentication. So I had to create and deploy certificates for and to the clients I use. This way the client can connect without providing password.
I do that by using a simple proxy setup, one-liner ssh command,
configure Firefox to use the proxy and it's done.
If a router 'supports VPN' what does that actually mean?
Presumably it doesn't mean that the router runs as a VPN server, or
does it?
If my router supports VPN (which it does, a Draytek 2860N) and I
enable it what else needs to happen to make it useful? ... and what
does my LAN behind the router look like, is it *all* on the VPN by
default or what? ... and how do I connect a remote system to the VPN?
Richard Falken <nospam.Richard.Falken@f1.n770.z6212.fidonet.org>
wrote:
The idea is that you have an office in Berlin with LAN A, and an
office in Washington with LAN B. You configure your routers to
establish a virtual private network between them so both LANS are
merged (sort of).
ie:
LAN A has subnet 192.168.10.0/
LAN B has 192.168.20.0/
Yes, and this is a nice gotcha if you want to connect two networks
behind the same type of modem/from one isp; they are bound to use the
same subnet, just their default settings; so the vpn connection won't
work. I had this once on different modems/isp's; apparently
192.168.178.0 is a popular choice. Solution is to give one of them a different subnet.
Kees Nuyt wrote to Deloptes <=-
Nowadays it's easy to set up a VPN server with
PiVPN <https://pivpn.io/>
Axel Berger wrote to Chris Green <=-
Chris Green wrote:
I do that by using a simple proxy setup, one-liner ssh command,
configure Firefox to use the proxy and it's done.
It's me, there's a lot I don't know about networks, but I do not understand that sentence at all, not one little bit.
Kees Nuyt wrote to Deloptes <=-
Nowadays it's easy to set up a VPN server with
PiVPN <https://pivpn.io/>
Many appliance routers can run DD-WRT or OpenWRT, and it can act as a
OpenVPN client or server. I'm about to order a Pi, though, and PiVPN
looks like a nice tool to use instead - and to get familiar with the
Pi.
The one thing I've been trying to figure out is how to use OpenVPN to
route selected traffic through a local node but route the rest over
the internet. Netflix doesn't like VPNs, and I want to be able to get
local TV stations outside of my area with an app that limits
available channels to your local area. I'm hoping it's easier to set
up than with DD-WRT.
Axel Berger wrote to Chris Green <=-
Chris Green wrote:
I do that by using a simple proxy setup, one-liner ssh command,
configure Firefox to use the proxy and it's done.
It's me, there's a lot I don't know about networks, but I do not understand that sentence at all, not one little bit.
The SSH protocol allows for port forwarding, which allows network
traffic to be routed over it. Connect via SSH to one of the machines
in your university, configure SSH port forwarding, and with a little
work all web traffic will go over the ssh tunnel to your university
and appear to come from your university instead of your home.
It's a little deep to try and explain off the top of my head, there
are a lot of tutorials on the web that'll explain it better than I
can.
Connect via SSH to one of the machines
in your university, configure SSH port forwarding, and with a little
work all web traffic will go over the ssh tunnel to your university
and appear to come from your university instead of your home.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 88:28:05 |
Calls: | 6,658 |
Files: | 12,203 |
Messages: | 5,333,956 |