Re: VPN suggestions?
- Date: Tue, 10 Jul 2018 22:17:47 -0400
- From: Gene Heskett <gheskett@xxxxxxxxxxx>
- Subject: Re: VPN suggestions?
On Tuesday 10 July 2018 19:26:17 Ben Finney wrote:
> Dennis Wicks <wix@xxxxxxxxxx> writes:
> > I want to set up a VPN for several computers in my house that are
> > all on a local network.
> What do you mean by “set up a VPN”?
> Is it sufficient to pay someone else to host the VPN, and your
> computers connect to that VPN managed by someone else?
> Do you expect to manage the VPN software? The hardware? Or do you want
> that job done by someone else?
> > And suggestions, hints, warnings?
> Be sure that the VPN is run by someone invested in *your* security.
> This excludes parties that offer “zero cost VPN” to all-comers; their
> incentive is mostly to turn your traffic into money, which almost
> certainly conflicts with your privacy.
> So, that means either you (or a party who already has your trust and
> has no conflict with your interests) set up the VPN specifically for
> you; or, you find a managed VPN for whom *you are the customer*, so
> that they will want to serve your needs and not someone else's.
> Once you explain more what your purpose is (and what you mean by “set
> up a VPN”), we can give more specific advice.
+100 on this advice.
For instance, and this is just one way, decades ago I set all my stuff up
on 192.168.xx.zz addresses, which are NOT propagated thru a router to
the internet or vice versa.
I have one outward facing address at a fixed ipv4 address determined by
the MAC of the router. That router is running dd-wrt. As is a spare that
has its MAC set to clone the main router. It also runs iptables and
dnsmasq. All local addresses are in the hosts files, identical on all
machines, with resolv.conf set to search hosts, dns. The dns is the
routers local address on all machines, so that if where I want to go is
not a local address obtainable from the hosts file, then the router is
queried, which if dnsmasq has not already cached the lookup, sends the
dns request on to my ISP's dns server. And it all happens in
milliseconds, so my access to the net from any of my machines is
transparent. Yet in nearly 2 decades, only one person has been able to
get into this system, and he was both invited and given the login/pw's
to do it.
As a guard dog, dd-wrt has very quick reflexes and sharp teeth.
And there is nothing virtual about it. Yet it Just Works(TM).
I do have a couple 8 port switches in order to give me that connectivity
here, and in the garage, plus a 4 port hub in a smaller outbuilding to
hook it all up. That 90 foot piece of cat5 to that outbuilding from the
house has now been blowing in the wind for nearly 2 decades, surviving a
100+ mph blow that took down 4, 30 yo 40+ ft pine trees, part of this
houses roof, and about 70 feet of privacy fence. And it still works.
Thats how I do it.
Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>