VPN for a whole home network
I'm interested in having a VPN for my whole home network. I connect through a shared captive WiFi with a private non-routable IPv4 address, and sometimes it so happens that the WiFi is rebooted, and I lose all my NAT sessions. I want to use Linode in the cloud, and an OpenBSD netbook at my place to terminate the connection.
Right now, I simply run ssh socks proxying on each individual computer in my home network, but I'm thinking that perhaps doing a centralised VPN through an OpenBSD netbook router would be a better idea. I already use the OpenBSD netbook to tap into the WiFi, and do a second or third NAT for my local network.
How should I design my VPN?
Should I use IPsec, OpenVPN or the new OpenSSH proxying through tun?
Should I use the IPv6 subnet allocated by Linode and pass it through the VPN as IPv6, or should I make the VPN be IPv4-only, and setup a tunnel through tunnelbroker.net to terminate IPv6 right on my netbook through the IPv4-only VPN through Linode? I'm in NorCal, and I use the Fremont location, so the latency and routing should theoretically be the same either way. I'm leaning towards an IPv4-only VPN (with protocol 41 forwarding) and a tunnelbroker.net setup, since it seems like it'll be much easier to setup as far as my Linode goes, and potentially a cleaner feel overall (plus you get to delegate rDNS to your own servers).
How do I ensure that all my NAT states don't automatically vanish right away should the captive WiFi router or any of its upstreams that I'm using are rebooted?
Any ideas how to make the captive WiFi logins work? They oftentimes expire exactly 24 hours after the last login, but sometimes the WiFi is overloaded or reset, and then they expire more often than that. Right now, on one of the computers, I use two browsers, one through a socks proxy and one with a direct connection, and when it comes the time to login, switch to the one with the direct connection to authenticate.
C.
1 Reply
You don't want to use anything based on OpenSSH because SSH uses TCP which means its connection will go down when the wifi router is rebooted. With OpenVPN you can use UDP which will be able to survive such events provided you send frequent keepalive pings (specify the option 'ping 20' for 20 second pings). I don't have much experience with IPsec but I do know it can have problems getting through NATs (and why use it when OpenVPN is so awesome anyways
One way to make your VPN setup extremely simple while using your Linode's native IPv6 would be to use a layer 2 VPN (TAP instead of TUN) and bridging your home network to the VPN TAP interface on your OpenBSD router. Your Linode would be on the same subnet as your home network and would be your home network's default gateway (instead of your OpenBSD router), taking for example the ::1 address in the /64 that Linode routes to you. OpenVPN wouldn't need to deal with IP addresses at all, which is a good thing since its IPv6 support is pretty incomplete right now.
The big downside of using a TAP VPN is that all your home network's broadcast traffic will be sent over to your Linode.
I don't have any experience automating captive portal logins. If you know Perl and are willing to reverse-engineer the login process somewhat, I hear WWW::Mechanize is a good Perl module for automating web page interactions. You could combine that with a simple monitoring script and kick off the process whenever you can't ping your Linode.