Trading a VPN for an SSH Tunnel
-
So, I have an OpenVPN server on Vultr right now for $5/month. This was the recommended setup from a hamfest last September in Albuquerque, New Mexico.
Its not too amateur radio heavy, but more towards IT for hams. Normally, for one operator, this is great. For $5/month + data service, you can remote into your ham shack and operate your radio remotely. However, I have some limitations with it.
- It limits you to 2 consistent devices at once for free. If you want more devices connected to the VPN at the same time, then you need to pay at least $150/year for a 10-pack of licenses. A little steep for my blood.
- It is difficult at best to get an OpenVPN client to working on a Debian system. Debian systems are best for amateur radio because they provide the best variety of applications on any Linux distro.
- The Net-44 really isn't needed because the VPS is going to give you an Internet address anyways. If you want, buy a domain, and tie a subdomain to the IP address of the VPS.
My dad and I are wanting to share the VPN, in order to decrease costs, but that limits us from connecting both of our ham shacks at the same time because that will meet our 2-device limit.
Then, I remember hearing talk about SSH Tunneling, that its a poor-man's VPN, its more secure because it is not as "big" of a tunnel over the Internet. So, after watching some YouTube videos
Could I replace the entire thing with just a server acting as an SSH proxy? This design comes to mind:
Each of our shacks would create a persistent SSH tunnel to a Linux server on vultr. When one of us wants to remote in, we would remote through the Linux server and back down the SSH tunnel to the ham shack. Once we create the SSH tunnel from our device back to the shack, we would then use some type of remote desktop service (vnc) in order to access the applications on the computer in the shack.
This solution would allow me to host as many users and locations as I wish, only restrictions would be the resources of the server, not licenses anymore.
Where would my bandwidth bottleneck be? My ISP? The SSH tunnels?
Would this even work?
-
Poor man's VPN is ZeroTier where there is literally nothing to pay for or run. Just choose it and voila.
-
@scottalanmiller said in Trading a VPN for an SSH Tunnel:
Poor man's VPN is ZeroTier where there is literally nothing to pay for or run. Just choose it and voila.
This.
-
Already have a network setup. Now have to deploy clients.
-
Put a RouterBoardOS RB260GS at each house and use a free ddns service. $35each and yo're done.
Or a Ubiquiti Edge Router Lite will work too, just more expensive.
I use the Ubiquiti ERL for IPSec into my house from the office, my phone, and my laptop. Love it.
73 old man.
-
@JasGot said in Trading a VPN for an SSH Tunnel:
Put a RouterBoardOS RB260GS at each house and use a free ddns service. $35each and yo're done.
Or a Ubiquiti Edge Router Lite will work too, just more expensive.
I use the Ubiquiti ERL for IPSec into my house from the office, my phone, and my laptop. Love it.All more work and more money than easy and free.
-
@scottalanmiller said in Trading a VPN for an SSH Tunnel:
@JasGot said in Trading a VPN for an SSH Tunnel:
Put a RouterBoardOS RB260GS at each house and use a free ddns service. $35each and yo're done.
Or a Ubiquiti Edge Router Lite will work too, just more expensive.
I use the Ubiquiti ERL for IPSec into my house from the office, my phone, and my laptop. Love it.All more work and more money than easy and free.
And a fully open virus network. ZT is at least limited tot he devices it is on.
-
Watching this; looking to do the same thing to remote access a computer radio combo
-
So, I went to ZeroTier and created myself a free account, created a network, and downloaded a client for my Windows 10 PC, the android app, and installed it on my Debian 9 Linux desktop. Authorized 3 clients onto the network. The network is private, so has to be authorized from the ZeroTier console before allowing communication between the device and the rest of the network.
Once I had 3 devices connected, I began testing communication between devices.
From Windows 10 to Debian 9:
via SSH
via VNC
So, I am able to remote into the computer by both SSH and VNC. However, I am not able to talk on the radio and hear what I receive while I am out and about. This is my next dilemma. How do I have the two-way audio between the ham-shack box and myself when I'm out and about?
-
@NerdyDad VNC should have the option to forward audio as well. Might be in the server or client setting tho, it's been a long time since I had a reason to go look at that.
-
@scottalanmiller said in Trading a VPN for an SSH Tunnel:
@JasGot said in Trading a VPN for an SSH Tunnel:
Put a RouterBoardOS RB260GS at each house and use a free ddns service. $35each and yo're done.
Or a Ubiquiti Edge Router Lite will work too, just more expensive.
I use the Ubiquiti ERL for IPSec into my house from the office, my phone, and my laptop. Love it.All more work and more money than easy and free.
Easy is relative. $70 for the two is only $10 more than he is currently paying for one year. Starting with month 15, it is free!
-
@JaredBusch said in Trading a VPN for an SSH Tunnel:
And a fully open virus network. ZT is at least limited tot he devices it is on.
How so? My VPNs are locked to IP address and/or 2FA.
-
@JasGot said in Trading a VPN for an SSH Tunnel:
@JaredBusch said in Trading a VPN for an SSH Tunnel:
And a fully open virus network. ZT is at least limited tot he devices it is on.
How so? My VPNs are locked to IP address and/or 2FA.
Once something gets onto any node - it can spread the virus to all other VPN nodes... the same applies to ZT, though JB's claim is that ZT won't likely be installed everywhere.
To JB's claim I say - so what? Once a multi-homed computer is infected, it can easily try to infect any other local computers, so... not really much of a saving grace there.
-
@travisdh1 said in Trading a VPN for an SSH Tunnel:
@NerdyDad VNC should have the option to forward audio as well. Might be in the server or client setting tho, it's been a long time since I had a reason to go look at that.
I didn't see it in VNC, but maybe I am using the wrong VNC server (TightVNC vs UltraVNC). Can you send me some more information?
I also found crtmpserver that streams audio both ways and to Android devices. Maybe it will work instead? How hard would it be to setup?
-
@Dashrender said in Trading a VPN for an SSH Tunnel:
@JasGot said in Trading a VPN for an SSH Tunnel:
@JaredBusch said in Trading a VPN for an SSH Tunnel:
And a fully open virus network. ZT is at least limited tot he devices it is on.
How so? My VPNs are locked to IP address and/or 2FA.
Once something gets onto any node - it can spread the virus to all other VPN nodes... the same applies to ZT, though JB's claim is that ZT won't likely be installed everywhere.
To JB's claim I say - so what? Once a multi-homed computer is infected, it can easily try to infect any other local computers, so... not really much of a saving grace there.
Coorect not much of one but it is a smaller attack surface by a bit
-
@Dashrender said in Trading a VPN for an SSH Tunnel:
Once something gets onto any node - it can spread the virus to all other VPN nodes...
True, hopefully gateway security suites will stop that.
-
@JasGot said in Trading a VPN for an SSH Tunnel:
True, hopefully gateway security suites will stop that.
VPNs bypass those things. At least in most cases. Gateway security is never really where you expect things to be stopped. It's the individual machines where you hope for the real defenses to be sitting. Whether it's because the LAN is breached in some other way, or a hole is punched by the VPN, Gateway security is too far from the main attack points and knows nothing about most attack vectors.
-
@JasGot said in Trading a VPN for an SSH Tunnel:
@scottalanmiller said in Trading a VPN for an SSH Tunnel:
@JasGot said in Trading a VPN for an SSH Tunnel:
Put a RouterBoardOS RB260GS at each house and use a free ddns service. $35each and yo're done.
Or a Ubiquiti Edge Router Lite will work too, just more expensive.
I use the Ubiquiti ERL for IPSec into my house from the office, my phone, and my laptop. Love it.All more work and more money than easy and free.
Easy is relative. $70 for the two is only $10 more than he is currently paying for one year. Starting with month 15, it is free!
$70 for what you are proposing with more hardware and equipment that could fail and I have to maintain in my house that my wife won't like because its more "junk" versus ZeroTier which is free, software only, and my wife won't have to see it.
Hmmm....Decisions, decisions.
-
@NerdyDad You mean there are actual decisions to that lol? ZT for the win
-
@JasGot said in Trading a VPN for an SSH Tunnel:
@scottalanmiller said in Trading a VPN for an SSH Tunnel:
@JasGot said in Trading a VPN for an SSH Tunnel:
Put a RouterBoardOS RB260GS at each house and use a free ddns service. $35each and yo're done.
Or a Ubiquiti Edge Router Lite will work too, just more expensive.
I use the Ubiquiti ERL for IPSec into my house from the office, my phone, and my laptop. Love it.All more work and more money than easy and free.
Easy is relative. $70 for the two is only $10 more than he is currently paying for one year. Starting with month 15, it is free!
Comparing to a bad decision is misleading. You have to throw money away today, and ignore better options, to them create the "savings" of spending money. That's a false decision matrix.
The real comparison is against something free. That's the baseline to beat. Otherwise, nothing is costly compared to any contrived more expensive decision.
Example: I want a laser light show for my house, I don't need it, I just want it. The free option is to not buy one. Buying one is normally $100. But I could find one that is $200 and then say that the $100 is "free" or even "saving me money." But this is false, it's still costing $100 no matter how many more expensive alternatives we find.
It's like the 'sale' problem. The shirt was on sale for 50% off, I saved 50%!! No, you still bought a shirt you didn't need, money was lost versus the free baseline.