Comments on: Avoiding dynamic IP address woes with a VPN http://dan.langille.org/2008/11/26/avoiding-dynamic-ip-address-woes-with-a-vpn/ He has another more popular diary. This one is more general. Fri, 12 Mar 2010 17:56:30 +0000 http://wordpress.org/?v=2.5 By: Dan http://dan.langille.org/2008/11/26/avoiding-dynamic-ip-address-woes-with-a-vpn/#comment-297 Dan Wed, 04 Mar 2009 02:37:53 +0000 http://dan.langille.org/?p=216#comment-297 VPN: Thanks for the input. I removed the link to your website though. It really wasn't relevant and was kind of spammy. VPN: Thanks for the input. I removed the link to your website though. It really wasn’t relevant and was kind of spammy.

]]> By: VPN http://dan.langille.org/2008/11/26/avoiding-dynamic-ip-address-woes-with-a-vpn/#comment-295 VPN Tue, 03 Mar 2009 15:24:08 +0000 http://dan.langille.org/?p=216#comment-295 It became useful first to distinguish among different kinds of IP vpn based on the administrative relationships, not the technology, interconnecting the nodes. Once the relationships were defined, different technologies could be used, depending on requirements such as security and quality of service. It became useful first to distinguish among different kinds of IP vpn based on the administrative relationships, not the technology, interconnecting the nodes. Once the relationships were defined, different technologies could be used, depending on requirements such as security and quality of service.

]]> By: Dan http://dan.langille.org/2008/11/26/avoiding-dynamic-ip-address-woes-with-a-vpn/#comment-281 Dan Sat, 29 Nov 2008 20:58:00 +0000 http://dan.langille.org/?p=216#comment-281 Here is what I've written up: <http ://www.freebsddiary.org/openvpn-easy-rsa.php> - how to create certificates </http><http ://www.freebsddiary.org/openvpn.php> - first I tried this </http><http ://www.freebsddiary.org/openvpn-routed.php> - running with this now My thanks for your recommendations.</http> Here is what I’ve written up:

- how to create certificates
 - first I tried this
 - running with this now

My thanks for your recommendations.

]]> By: Dan http://dan.langille.org/2008/11/26/avoiding-dynamic-ip-address-woes-with-a-vpn/#comment-280 Dan Sat, 29 Nov 2008 20:55:58 +0000 http://dan.langille.org/?p=216#comment-280 Chris: Have you considered a table for that IP address? That way, you can just reload the table instead of the whole rule set. Much like this: pfctl -t spamd-mywhite -T replace -f /usr/local/etc/spamd-mywhite instead of this: pfctl -f /etc/pf.conf Chris: Have you considered a table for that IP address? That way, you can just reload the table instead of the whole rule set. Much like this:

pfctl -t spamd-mywhite -T replace -f /usr/local/etc/spamd-mywhite

instead of this:

pfctl -f /etc/pf.conf

]]> By: Chris Buechler http://dan.langille.org/2008/11/26/avoiding-dynamic-ip-address-woes-with-a-vpn/#comment-279 Chris Buechler Fri, 28 Nov 2008 02:05:03 +0000 http://dan.langille.org/?p=216#comment-279 If you trust DNS resolution, you can just use the hostname in your pf ruleset. With one caveat - it only will be updated when the ruleset is loaded. I've worked around this scenario by using dyndns names and reloading pf rules from cron. If your IP changes very frequently, that might not be a suitable solution. Depending on how much the IP changes entire subnets (maybe stays within a /21 or something), it may be easy to just allow that subnet, or all the IP blocks assigned to your ISP. That's significantly better than allowing the entire Internet, though not ideal. OpenVPN would be a good solution, as it's more dynamic IP friendly than other VPN options. Setup an OpenVPN server on each of your servers, and configure your home firewall/gateway with OpenVPN client connections to each. That will give you always on site to site connectivity, with routing in both directions. It will need to reconnect when your IP changes. pfSense will do this automatically, if you're running a custom built BSD box, there are ways to tie a reconnect into scripts with dhclient, mpd, whatever you use to pull your public IP. If you trust DNS resolution, you can just use the hostname in your pf
ruleset. With one caveat - it only will be updated when the ruleset is
loaded. I’ve worked around this scenario by using dyndns names and
reloading pf rules from cron. If your IP changes very frequently, that
might not be a suitable solution. Depending on how much the IP changes
entire subnets (maybe stays within a /21 or something), it may be easy to just
allow that subnet, or all the IP blocks assigned to your ISP. That’s
significantly better than allowing the entire Internet, though not
ideal.

OpenVPN would be a good solution, as it’s more dynamic IP
friendly than other VPN options. Setup an OpenVPN server on each of
your servers, and configure your home firewall/gateway with OpenVPN client
connections to each. That will give you always on site to site connectivity,
with routing in both directions. It will need to reconnect when your IP changes.
pfSense will do this automatically, if you’re running a custom built BSD box,
there are ways to tie a reconnect into scripts with dhclient, mpd, whatever
you use to pull your public IP.

]]> By: Dan http://dan.langille.org/2008/11/26/avoiding-dynamic-ip-address-woes-with-a-vpn/#comment-278 Dan Fri, 28 Nov 2008 00:48:24 +0000 http://dan.langille.org/?p=216#comment-278 Why not put the VPN server on one of the dedicated servers in one of the data centers? If I do that, then I'll have traffic going from one server to the VPN server to $HOME. When it just really needs to go $HOME. All the servers out there just need to contact $HOME over the VPN. nobody else. Why not put the VPN server on one of the dedicated servers in one of the data centers? If I do that, then I’ll have traffic going from one server to the VPN server to $HOME. When it just really needs to go $HOME. All the servers out there just need to contact $HOME over the VPN. nobody else.

]]> By: Dan http://dan.langille.org/2008/11/26/avoiding-dynamic-ip-address-woes-with-a-vpn/#comment-277 Dan Thu, 27 Nov 2008 01:48:16 +0000 http://dan.langille.org/?p=216#comment-277 The major problem so far with using a VPN that is initiated from my home server is that the remote servers need to access the servers at home. In that sense, the setup is reversed. Usually, the OpenVPN client can access the network at the Server. In this case, I want it the other way around. Perhaps I need to rethink this solution. The major problem so far with using a VPN that is initiated from my home server is that the remote servers need to access the servers at home. In that sense, the setup is reversed. Usually, the OpenVPN client can access the network at the Server. In this case, I want it the other way around. Perhaps I need to rethink this solution.

]]> By: Dan http://dan.langille.org/2008/11/26/avoiding-dynamic-ip-address-woes-with-a-vpn/#comment-276 Dan Wed, 26 Nov 2008 21:23:56 +0000 http://dan.langille.org/?p=216#comment-276 Peter Wemm suggested IPv6. That is an interesting solution. Peter Wemm suggested IPv6. That is an interesting solution.

]]>