Openvpn Without Port Forwarding

[Armonia Bunda]

Anyand all IP network communication (read, anything that involves IPv4/6 addresses, hostnames, etc. -- ie., pretty much everything most people consider "networking") includes a port that is essentially part of the address in the same way that your street number is an essential part of your address.

[Technically that's not quite true, the port numbers are part of protocols used on top of IP 99.9%+ of the time, see comments below. It might be better to say it is like an apartment number, and an operating system is the apartment building. Stuff addressed only to the building is treated differently. OpenVPN isn't an operating system, it's an application, and as such has to have an apartment to be in the building.]

That said, not you do not need to use port forwarding to use openVPN. What you need port forwarding for on your router is to allow incoming connections to a node inside your LAN.1 LAN IP addresses are considered local; all the computers on your LAN use the same IP address externally. This does not require port forwarding because they can be distinguished by MAC address. That works because all the connections established between those computers and the outside world are initiated by the local computer, not the outside party, meaning the correct MAC address is associated with them. But if something outside your LAN wants to initiate a connection to something inside your LAN, it must to use the external router address, and, unless you've set up port forwarding, the router will not know what to do with that.

If you don't want to use an external server, then you must have one inside the LAN. This is not much good outside the LAN, however, unless you can connect to it from there (the outside), which requires your router forward the traffic to the appropriate place, which is port number based, hence, port forwarding.

I would like repurposed an old laptop of mine into a home linux SSH server, to be able to access all my files from my phone over the internet by using Termux to establish the SSH connection.

Problem is my wanna be SSH server laptop sits behind an home router without a static IP address. Furthermore my home network is populated by not so technically inclined people (id est: my family) and so home network security should be rock solid.

For this reasons I don't like the idea to perform a port forwarding in my home router: I don't want security risks, and also I don't want my network slowed down by bots trying to break in my forwarded SSH port.

I heard something can be done by using a VPN service, and I am willing to pay a monthly fee for this, but I have really no idea how it would be possible to use a VPN service (like Nord VPN) to remotely connect to my home network or directly into my SSH server.

(Security-wise, you still have to expose one service (the VPN server) to the outside world, but compared to exposing SSH you have slightly more flexibility in regards to how the service responds to unauthenticated connections; e.g. a WireGuard server (or OpenVPN with HMAC key) won't even respond to the first packet, which is less resource-intensive than SSH would be.)

Many of these cloud storage services have a generous free account, butalso cheap paid programs.From time to time one can find special offers on theinternet for lifetime subscriptions (I'm actually subscribed to threesuch services).

A Virtual Network, as opposed to a physical network, is a Software-Defined Networking (SDN) solution that creates an overlay network on top of existing network infrastructure, spanning across multiple physical networks and the Internet. Members of this virtual network can communicate with each other as if they were on the same physical network.

With a Tunnel solution, the data is relayed via a third-party server acting as an intermediary. Note that many providers apply data transfer limits, so you should take steps to moderate your bandwidth usage when accessing remotely, such as minimising live video streaming, avoiding large file downloads, and generally using the connection sparingly.

Which solution you choose generally comes down to the following question: do you have a fixed set of devices from which you want to access your SecuritySpy server? For most users, the answer to this question is yes, and in this case a Virtual Network is the best solution. On the other hand, if you want your SecuritySpy server open to the Internet for anyone to (attempt to) access, then a Tunnel solution provides this.

Select the Join New Network option, and enter the Network ID that you obtained from step 2. You should then see the network displayed in the menu (called SecuritySpy in the above example). Repeat this on all devices.

4. In the Networks section of the ZeroTier web portal, click on the network to edit it, and scroll down to the Members area. You should see a list of devices that you have connected, but they will not yet be authorised. Enable the checkboxes next to each device to authorise them:

5. You will see here that each device has been assigned an IP address on the virtual network. This address is also displayed in the ZeroTier menu under Network > Managed Addresses. This is the address that you will use in clients in order to access your SecuritySpy server. In the above example, the SecuritySpy Mac has the virtual IP address 172.29.211.179, so clients can access SecuritySpy at the URL :8000

2. From the Download pages, under the Manual Downloads section, download the macOS package. This downloads a folder that contains two important files: a pktriot executable, and a pktriot.plist file that can be used to start Packetriot automatically at system reboot.

6. Since you started the tunnel here manually, it will only persist while this Terminal window is open. If you copied the pktriot.plist file to the /Library/LaunchAgents folder as described above, simply reboot your Mac and the tunnel will start automatically without requiring to be run in a Terminal window.

4. Open the Cloudflare Zero Trust Dashboard. In the menu on the left, select Access > Tunnels, and create and name a new tunnel. Once created, you will see a section called Install and run a connector, which contains some commands that you will need to copy and paste into a Terminal window on your Mac.

The central servers used by Tailscale or Zerotier are only connection setup servers. They facilitate setting up the connection without problems imposed by no port forwarding and the need to traverse NAT type firewall/gateways at each end.

I am about to switch from my internet provider to Starlink. It appears that I will get ipv6 address. Would I still need to use one of the above methods to get back to my SecuritySpy, or would the Port Forwarding method be applicable?

I did a similar thing with IPv6 address under the Advanced Settings in the TCP/IP tab. I selected Manually, and the Router, IPv6 Address & Prefix Length fields got automatically populated. After applying these setting, I am still unable to reach the server from my iPhone.

By contrast, SecuritySpy uses port forwarding, which can sometimes be a bit more tricky to set up, but it has the significant advantages of better privacy, no ongoing costs, and no reliance on server infrastructure that may or may not exist in the future.

Your Starlink results are interesting, and indicate that the Mac is getting an IPv6 address that is indeed available publicly. Unfortunately, it seems that our iOS app cannot currently accept IPv6 addresses, and our DDNS system is IPv4-only at this time. We will work on these issues in order to expand IPv6 support in the future, however for now I think the way forward for you will be to use ZeroTier.

I freshely installed an OpenVpn on my machine which runs ubuntu server 18.04 LTS. I scanned my ports with nmap it seems to be my ISP filtered all ports so i'm unable to do port forwarding. Is there any way to access OpenVpn outside my LAN without port forwarding.

You need to have a port forward from your public ip address. There is no other way how to connect from outside. Talk to your ISP regarding the port forwarding. Some ISP provide port forwarding free of charge, whereas an extra public IP address costs something.

I don't trust the method you used to determine your ISP "filters all ports so you're unable to do port forwarding". If you haven't set up port forwarding, no ports are going to be open on your IP address, which doesn't necessarily mean your ISP is doing anything.

What port(s) you forward to your Ubuntu 18.04 server to access OpenVPN will depend on how you set up OpenVPN. If you used the default OpenVPN server configuration, you'll have to forward UDP port 1994 to the IP address of your Ubuntu 18.04 server.

Note:

It might be something that happens at times, but I have never seen it, and can't imagine an ISP blocking all ports to their clients. They may block some ports such as port 25 to protect their clients from virus vulnerabilities. Some also block ports that are commonly used for heavy traffic file sharing (often used for pirating software). They often block port 80 to prevent their customers from running heavy traffic web servers. I kind of gave you the wrong port to test in the comments.

So I maybe extreme, but I keep my cams on a vlan so they can only talk to the PC that running Blue Iris, and recording the cam output. Like I said, cams are a known vulnerability.

And this issue is not someone will view your cams (although they could if they break in), the issue is the cams are running linux, and if a bad guy hacks your cams, then they have access to a linux machine inside your network. Really not good.

3a8082e126