Do I need a VPN?

I'd appreciate your experiences and recommendations in using a VPN
across a 3G connection.

Here's the situation.
I have a machine at a remote location. It runs XP. It connects to
the internet via a 3G dongle. Each day at a preset time, an Autoit3
script on the remote starts the link and successfully connects to
my local box (which runs Ubuntu). It logs in and uploads its IP
address to a file on the local system.

Now, in the past, once I've got the remote's IP address I have been
able to connect to the remote with VNC, FTP and the web server the
remote runs on port 80.

However, following a change in 3G provider, although the remote still
successfully connects to my local system, it appears the new provider
is preventing inbound connections to the remote.

On that assumption, the plan is to add to the remote box's script and
have it start a VPN connection to the local box and gain access to it
using that. I'm hoping that once the remote has created the VPN, the
3G provider will have no visibility of inbound (to the remote) connections
so I will be able to access it again. Some nice side effects would be
added security (though security is not perceived as a problem) and the
ability to connect to more services on different ports, via the VPN.

So my first question is: does this sound like a sensible way to solve
the connectivity problem?
Are there better ways to do it, and what VPN packages have people succeeded
with in the past. Just a reminder, the local box is Ubuntu, the remote is XP.


with thanks
Pete

pete <no-(E-Mail Removed)> writes:

> So my first question is: does this sound like a sensible way to solve
> the connectivity problem?
yes

> Are there better ways to do it, and what VPN packages have people succeeded
> with in the past. Just a reminder, the local box is Ubuntu, the remote is XP.

Openvpn (openvpn.net) should meet your requirements.

On Sun, 23 May 2010 10:07:03 +0100, Andy Burns wrote:
> pete wrote:
>
>> Here's the situation.
>> I have a machine at a remote location. It runs XP. It connects to
>> the internet via a 3G dongle. Each day at a preset time, an Autoit3
>> script on the remote starts the link and successfully connects to
>> my local box (which runs Ubuntu). It logs in and uploads its IP
>> address to a file on the local system.
>
> You could use some form of dynamic DNS to the same end ...
>
Yes, the remote has an account at dyndns.com. Occasionally the agent
on the remote does manage to update it's IP address there. For some reason
(possibly because the remote uses a CF card as it's C: and so is incredibly
slow) this frequently fails. Hence the explicit connection to my local
machine, using "putty". Simply more reliable.

>> Now, in the past, once I've got the remote's IP address I have been
>> able to connect to the remote with VNC, FTP and the web server the
>> remote runs on port 80.
>>
>> However, following a change in 3G provider, although the remote still
>> successfully connects to my local system, it appears the new provider
>> is preventing inbound connections to the remote.
>
> Have you asked if they support inbound connections through their NAT?
> They might have a different APN you could use that supports it.

I can't. We _literally_ don't speak the same language :-(

>> On that assumption, the plan is to add to the remote box's script and
>> have it start a VPN connection to the local box and gain access to it
>> using that. I'm hoping that once the remote has created the VPN, the
>> 3G provider will have no visibility of inbound (to the remote) connections
>> so I will be able to access it again. Some nice side effects would be
>> added security (though security is not perceived as a problem) and the
>> ability to connect to more services on different ports, via the VPN.
>>
>> So my first question is: does this sound like a sensible way to solve
>> the connectivity problem?
>
> Should work, though again, some 3G networks need a different APN to get
> VPN support, having changed APN you might find your direct inboud
> connections work again anyway.
>
>> Are there better ways to do it, and what VPN packages have people succeeded
>> with in the past. Just a reminder, the local box is Ubuntu, the remote is XP.
>
> openVPN.
>
Am playing with it now .... (they don't make the installation easy do they?)

On 23/05/10 11:34, pete wrote:
> On Sun, 23 May 2010 10:07:03 +0100, Andy Burns wrote:

>> openVPN.
>>
> Am playing with it now .... (they don't make the installation easy do they?)

The Debian package of OpenVPN [which Ubuntu's is doubtless based on]
came with a script in /usr/share/doc/openvpn/ that automates the CA bit.
That was the part I found the hardest, the rest of it was a doddle.

--
<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
17:36:02 up 25 days, 17:52, 1 user, load average: 0.51, 0.30, 0.23
It is better to have been wasted and then sober
than to never have been wasted at all

On Sun, 23 May 2010 20:53:28 +0100, Grant wrote:
> pete wrote:
>> Are there better ways to do it, and what VPN packages have people
>> succeeded with in the past. Just a reminder, the local box is Ubuntu,
>> the remote is XP.
>
> Depends what you want to do and whether you need full VPN but Logmein Free
> may do the job.
>
** first of all ** Thanks to Graham for his swift response.
Yes the "depends what I want to do" is the crux of the matter.
Now I have got Openvpn running between my Ubuntu host and a virtualbox'd
XP guest, I've hit the "and now what?" phase. As I mentioned in the OP,
I have a need to connect to the remote, from my Ubuntu box, both with VNC
and ftp. Sadly, it seems that the openvpn documentation kinda runs out of
puff at the end of the installation. They seem to think that once you've
got the VPN client connecting to the server, then that's all folks - switch
off the lights and go home.
Whereas, in fact that's merely the first step in getting some useful work
out of it. But there doesn't seem to be any followup on how to actually
go from a skeleton connection to a fully realised, usable solution. :-(

Since I have to have the connection initiated by the remote, once the
VPN is established, I then have to have a VNC server listening on port
5800 on the remote, an FTP server also listening on port 21 of the client
and then to have processes on the local VPN server, sending connections
back UP the VPN to connect to the client. (This is where the terms client
and server get a little hazy. The VPN client turns out to be the application
server. It's only a client to the VPN because it initiates the connection.)

So that's where I've got to now. VPN? Yup, been there, got that. Now for the
payback. How do I extract some useful work out of the circuit?

pete writes:
> I'd appreciate your experiences and recommendations in using a VPN
> across a 3G connection.
[...]
> However, following a change in 3G provider, although the remote still
> successfully connects to my local system, it appears the new provider
> is preventing inbound connections to the remote.

Run an SSH server on your local PC - OpenSSH in your case, presumably.
Perhaps put it on port 443 in case the provider blocks SSH etc.

Schedule an outbound connect to your SSH server on the remote PC.
Configure each end appropriately to tunnel traffic from one listening
port to a particular remote port (either local>remote or vice versa).
Then you can connect to localhost port N and have it routed to the
remote 127.0.0.1:5900

Tunnelier is free for personal use:
http://www.bitvise.com/tunnelier

"Reverse" VPN might perhaps be overkill but it would do what you need.
Can occasionally be a pain in the ass to configure though. Also, I think
most mobile providers bar Vodafone are quite restrictive in what they
allow over dongles, so VPN might be blocked.

Or, perhaps LogMeIn Free might be an easier solution

"pete" <no-(E-Mail Removed)> wrote in message
news:slrnhvhn5k.606.no-(E-Mail Removed)...
> I'd appreciate your experiences and recommendations in using a VPN
> across a 3G connection.
>
> Here's the situation.
> I have a machine at a remote location. It runs XP. It connects to
> the internet via a 3G dongle. Each day at a preset time, an Autoit3
> script on the remote starts the link and successfully connects to
> my local box (which runs Ubuntu). It logs in and uploads its IP
> address to a file on the local system.
>
> Now, in the past, once I've got the remote's IP address I have been
> able to connect to the remote with VNC, FTP and the web server the
> remote runs on port 80.
>
> However, following a change in 3G provider, although the remote still
> successfully connects to my local system, it appears the new provider
> is preventing inbound connections to the remote.
>
> On that assumption, the plan is to add to the remote box's script and
> have it start a VPN connection to the local box and gain access to it
> using that. I'm hoping that once the remote has created the VPN, the
> 3G provider will have no visibility of inbound (to the remote) connections
> so I will be able to access it again. Some nice side effects would be
> added security (though security is not perceived as a problem) and the
> ability to connect to more services on different ports, via the VPN.
>
> So my first question is: does this sound like a sensible way to solve
> the connectivity problem?
> Are there better ways to do it, and what VPN packages have people
> succeeded
> with in the past. Just a reminder, the local box is Ubuntu, the remote is
> XP.

Almost certainly your problem is with the 3G dongle and its provider. If
you can get any sort of 3G service, then getting a phone line with ADSL
should present no problems. I've never yet come across a location where
ADSL isn't available and yet you can get a ***working*** 3G service!

So get an ADSL circuit with a static IP address, from the likes of Andrews &
Arnold, or Zen. A basic router should allow port mapping, so you can get
VNC and FTP to work.

A VPN would only be justified if the remote site had multiple computers that
you wished to manage, simultaneously

--
Graham J

On Mon, 24 May 2010 00:05:18 +0100, Sam wrote:
> pete writes:
>> I'd appreciate your experiences and recommendations in using a VPN
>> across a 3G connection.
> [...]
>> However, following a change in 3G provider, although the remote still
>> successfully connects to my local system, it appears the new provider
>> is preventing inbound connections to the remote.
>
> Run an SSH server on your local PC - OpenSSH in your case, presumably.
> Perhaps put it on port 443 in case the provider blocks SSH etc.
>
> Schedule an outbound connect to your SSH server on the remote PC.
> Configure each end appropriately to tunnel traffic from one listening
> port to a particular remote port (either local>remote or vice versa).
> Then you can connect to localhost port N and have it routed to the
> remote 127.0.0.1:5900
>
> Tunnelier is free for personal use:
> http://www.bitvise.com/tunnelier
>
THAT'S WHAT I WANT!!!!!

Yup, couple of clicks, job done. Sam, that's brilliant.

For the record:
1.) download WinSSHD (Bitvise's SSH daemon), install on XP client
2.) Start it, configure, create a "Virtual account" named "virt"
give it a password
3.) download tunnelier, install. Set up an S2C entry, receiving
port 5900 and forwarding to 5901 (the VNC ports)
4.) configure XP's VNC server to listen on #5901, enable local loopback
5.) click tunnelier's "login" button (or logout/login) to start it all
6.) on the Linux box: enable local port forwarding, as:
ssh -L 5900:localhost:5900 virt@xp_box_name_or_IP_address
7.) start Linux's VNC viewer, connecting to localhost:5900

8.) supply VNC password, sit back, watch the remote's screen unfold on
your Linux desktop.
9.) Reflect on the hours wasted, hacking through OpenVPN's carelessly
mistake-ridden documentation, jargon, tacit assumptions and over-
configurability. It's (probably) a fine product, but WAY over the top
for my simple requirements. I realise that there are "productised"
versions available, but since it took so long to munge the basic
applications into shape I much prefer the simplicity of WinSSHD/Tunnelier.
Interestingly, the windows side of OpenVPN was a cinch - it was all the
goofing around on Linux: "open this", "edit that" ooops, that file
doesn't exist - spend time finding it, "copy something else" - d'oh,
that's not where they said it was. What does that arcane error actually
_mean_ ? which of the various conflicting and non-specific instructions
is right? .... and so on, all yesterday afternoon. Grrrr.

pete <no-(E-Mail Removed)> writes:

> So that's where I've got to now. VPN? Yup, been there, got that. Now for the
> payback. How do I extract some useful work out of the circuit?

Once the VPN link is established, the (windows) client will have an IP
address for the VPN connection. So from your Ubuntu system you have to ftp
and VNC to the VPN IP address of the client.

On Mon, 24 May 2010 10:08:32 +0100, Graham J wrote:
>
> "pete" <no-(E-Mail Removed)> wrote in message
> news:slrnhvhn5k.606.no-(E-Mail Removed)...
>> I'd appreciate your experiences and recommendations in using a VPN
>> across a 3G connection.
>>
>> Here's the situation.
>> I have a machine at a remote location. It runs XP. It connects to
>> the internet via a 3G dongle. Each day at a preset time, an Autoit3
>> script on the remote starts the link and successfully connects to
>> my local box (which runs Ubuntu). It logs in and uploads its IP
>> address to a file on the local system.
>>
>> Now, in the past, once I've got the remote's IP address I have been
>> able to connect to the remote with VNC, FTP and the web server the
>> remote runs on port 80.
>>
>> However, following a change in 3G provider, although the remote still
>> successfully connects to my local system, it appears the new provider
>> is preventing inbound connections to the remote.
>>
>> On that assumption, the plan is to add to the remote box's script and
>> have it start a VPN connection to the local box and gain access to it
>> using that. I'm hoping that once the remote has created the VPN, the
>> 3G provider will have no visibility of inbound (to the remote) connections
>> so I will be able to access it again. Some nice side effects would be
>> added security (though security is not perceived as a problem) and the
>> ability to connect to more services on different ports, via the VPN.
>>
>> So my first question is: does this sound like a sensible way to solve
>> the connectivity problem?
>> Are there better ways to do it, and what VPN packages have people
>> succeeded
>> with in the past. Just a reminder, the local box is Ubuntu, the remote is
>> XP.
>
> Almost certainly your problem is with the 3G dongle and its provider. If
> you can get any sort of 3G service, then getting a phone line with ADSL
> should present no problems.

> I've never yet come across a location where
> ADSL isn't available and yet you can get a ***working*** 3G service!

Let me introduce you to southern Spain. No landlines within 8km, but a nice
strong HSDPA signal from either Vodafone or Orange.

> So get an ADSL circuit with a static IP address, from the likes of Andrews &
> Arnold, or Zen. A basic router should allow port mapping, so you can get
> VNC and FTP to work.
>
> A VPN would only be justified if the remote site had multiple computers that
> you wished to manage, simultaneously
>