Category: Firewalls

Why still run a VPS ?

and VPN Connections speeds using a VPS server

Why do I bother run my own Virtual Private Server (VPS)?

I do ask myself why I still bother with running a VPS on IONOS. I no longer have a business to run, so the old web pages are an archive now. I thought old URLs should never die (*).

I am often tempted to shut the VPS down and use email only service providers. They seem to be as expensive, even more than running as VPS that can run the email. I need 50Gb for each email box. Emails are a useful personal archive; ours goes back to 1992.

Running an email server on a VPS can be problematic. Both Google and Microsoft impose their email server monopoly on security grounds. Rarely they have blocked whole swathes of Internet Service Provider’s addresses, with no notice or explanation. I assume just one of the ISP’s customers has been naughty by sending out spam. It can take a day of two to get unblocked from these secret blacklists. I hope I have not jinxed it but the last such episode blocking email was over a year ago. This big-boys IP blocking was never reported by blacklisting sites such as MX toolbox. One needs to avoid getting on any blacklist lists so chose ISP carefully. Set up SPF DMARC DKIM and even DNSEC. All would be quite fiddly if it was not for the likes of PLESK to set up and control your VPS.

Plesk is very expensive when sold as a stand-alone, personal purchase, but cheap when it is part of the ISP VPS package. Always buy with a VPS server with cPanel or Plesk.

What do I still use VPS for?

1. EMAIL The advantage of running an email is you are your own man in the middle, your data is not being mined. You are in control and back up. I spoil the lack of data mining by having my google Gmail account pop read all the incoming emails. Searching of email is so much faster and intelligent with Gmail than directly searching on the server or Outlook. Gmail then is one of the backups. I also backup the entire server and settings to Dropbox. Tight fail2ban rules are essential for email servers and PLESK sets that up easily.

2. A Virtual Private Network VPN when abroad keeping a UK IP address is very useful. To use a VPS as a VPN is a cost saving, as a commercail VPN service can cost as much as a VPS, but you can do more with a VPS. The VPS’s IP is not recognised as a likely VPN address and has never been blocked as being from abroad; the IP address does not belong to any of the major VPN providers. Again, you are not being mined, logged or surveyed with your own. I use Softethervpn on the servers and Raspberry Pis as it is so much easier to set up and can use OpenVPN. Softethervpn even makes a client OpenVPN script to do so. Beware VPNs do not route IPv6 well, so to ensure that seen to be a UK address turn off IPv6 on your PC when abroad.

3. SSH tunnels and reverse tunnels. Some of my projects have no inbound route (say they are on 4g). Using autossh on the remote site will open a port on the server to connect to the remote site to use for anything, including VPN connections. SSH needs care: I change the default port number of SSH, run fail2ban and of certificate only, no password logins are allowed.

4. SOCAT. This is a useful programme if you want to reach the fixed IPv6 address from IPv4. One of my places has no fixed IPv4, no route from the internet (CGNAT) but has IPv6 allocation. Opening IPv6 pinholes on that router I can can access multiple devices from the internet, even using the same port number, at the remote site. Alas, some business networks, hotels and phones are still not routing IPv6. So I need to direct the request to a VPS server port, and the configured SOCAT will read IPv4 and forward on to the remote reachable IPv6 address.

5. Web Server. Setting up web pages. Social media has reduced the need to have a vanity domain and web pages as I set up long ago. For email alone one needs to get a proper a wildcard SSL certificate. You can then use that certificate on any machine (some are RaspberryPis) once using by the same domain or subdomain. Plesk makes setting all this up easier.

6. Frame forwarding. One can set up a subdomain and the point to a port to the server which is connected to a website elsewhere (such as a raspberry Pi) eg https://yell.bulger.co.uk is frame forwarded to a port on the VPS which has been autossh connected by the raspberry Pi in Shetland.

7. Never run TOR on a personal VPS server!

G3WIP

*Old URLs should never die, expect in Australia.  If a business stops trading or reduces to itself such that it no longer has an business number (ABN), then the domains .com.au have to be deleted by the registrar, along with email and contacts.   This is quite nuts.

VPN Connection Speeds

I use my own servers to double up as Virtual Private Network VPS servers. I also use RaspberryPis.   Seems safer and reliable to me than the commercial VPN offerings.  Nowadays it is quite cheap to set up the most basic internet based Virtual Server  (https://www.ionos.co.uk/servers/vps) .

I have used Softethervpn  https://www.softether.org/  as was the easiest to set up on the Linux servers and has many features and offers different protocols.

Then there was a claim that WireGuard was a faster protocol, so I thought I would check it out.  Thanks to a nice script is now also a doddle to set up: https://github.com/angristan/wireguard-install on my servers.  Beware a “feature” is that the Wireguard client looks as if it has connected, creates a default route to nowhere, when there is no connection.  I thought it was not routing, it was much simpler than that; it had not connected at all. I had a firewall problem.   Wiregaurd should change the route until there is a connection.

I put WireGuard   https://github.com/angristan/wireguard-install server on Ubuntu VPS and a domestic RaspberryPi  using the same script. 

I am using my Windows 11 as the client at home

I turned off IPv6 (not all VPNs route or block IPv6). I tested various protocols to my VPS server (UK to UK).  The server is said to have a 3GB connection

Speedtest to the same end point averaged as follows:

Straight connection with no VPN on my fibre line gives 980Mbps.  Upload and download speeds were always similar.

SocksProxy using SSH (secured; key-only authentication) connecting to my VPS server came out best to my surprise.  I thought there were limitations to using a Socks proxy. Normally I used Seamonkey Browser to use this proxy tunnel, not all of windows.  It averaged 600Mbps.  When I set windows itself to use this proxy tunnel the speed was 680Mbps.

SoftetherVPN with its own protocol and client 460Mbps

WireGuard 280Mbps

Open VPN 150Mbps

L2PP/IPSEC    140Mbps

IPv6 and VPNs is a whole new ball game, and I do not know the rules.  At least WireGuard using this script prevented IPv6 direct routing to the internet (stopping a leak bypassing the VPN) when Windows has IPV6 on as does Socksproxy.  This is useful.   Better if ALL traffic, IPv4 and IPv6 is be routed via a VPN, I am not sure how to achieve that as yet (see such discussions https://www.reddit.com/r/WireGuard/comments/mg9mlp/ipv6_routing_subnet_through_wireguard/ ).  Currently with my setup with WireGuard VPN and other VPN protocols do not find sites by IPv6 address.

My conclusion is that I will use the Socks Proxy via SSH proxy more often. This little script below simplifies switching the proxy on and off.  https://github.com/zubir2k/WindowsProxySwitch.git  although  it offers no choice as which proxy to use if you have more than one set up.

Fibre and Phone Broadband Routing IPv4 & IPv6 to home machines & servers: Hyperoptic Router Fixes

Our central London apartments have 1GB fibre connections with Hyperoptic which are reliable and fast. We get the speeds advertised, and at one our flats it is even a little faster. Ping is time 1ms. With such fast speeds, upload as fast as download, it is tempting to run servers at home and run a private cloud. The snag is the devices at home are not reachable from the internet using IPv4; the home routers are behind CGNAT, just as phone companies do in order to share the rationed IPv4 addresses and protect their network. You can pay Hyperoptic and other fibre companies extra each month for a fixed IPv4 address that is then reachable from the outside using IPv4. You may not need to. Better to use IPv6 anyway.

Home devices can be reached by IPv6 addresses from the internet which when calling from an IPv6 enabled network. IPv6 is fixed and we are given a whole reachable subnet. Then we can set the home router’s IPv6 filter; that is open pinholes or IPV6 filter rules to local devices’ IPV6 address and ports we want. We can now have multiple reachable devices from the internet and even using the same port, say port 443, as there is no address sharing (NAT).

There has been a snag using Hyperoptic routers, even their latest H3600 router when it comes to IPv6 routing. Many customers give up and buy their own routers. The Hyperoptic router manual has incorrect instructions for IPv6 filters. The first thing to note that the “LOW” firewall setting does not seem to affect IP4 blocks and port forwarding rules, but low does open all IPv6 devices on the LAN, so an open port of any device is reachable on the internet in IPv6 addresses. Not a good idea. But middle and high settings are fine, I set mine to high so all ports are closed unless defined by the filter rules.

Now adding filter rules was a pain, and it took me a day to realise why some rules worked and others did not. The IPv6 filter rule secret is NOT to declare the incoming port. It you put a number in there the rule is ignored.

So all fixed and I do not need to buy a new router.

By the way if you port-forward 443 it stops Hyperoptic from accessing the device. Not that their support is of any use when it comes to anything technical.

Connection works from IPv6 enabled networks away from home. It does not always work from some workplaces or from many phones because still some ISPs still use IPv4 only routing. To solve this I use another server (my VPS) that has fixed IPv4 and IPv6 connections I use the VPS as a middle man to “cat” the connection from IPv4 to an IPv6 address. I can access home systems anywhere and can give my home machines domain names IPv4 and IPv6 with DNS entry. On this middle machine, a Linux site (a VPS) I use SOCAT command with the IP and ports I want like this:socat TCP4-LISTEN:9831,fork,su=nobody TCP6:[2a01:4b02:a40a:4b10:af9b:c59c:b1b8:2e7x]:2529. Connecting to MyVPSserver:9831 using IPv4, connects to my a home device on IPv6:2529. I run a VPN though it (SoftetherVPN). It’s magical (don’t forget to open the port on the middle server if needed). It is very fast, I do not notice any degradation. When using Myvpserver domain I set DNS A (IPv4) to the VPS server and DNS AAA (IPv6) direct to the home device IPv6 address.

As it happens I found that if you have two places with Hyperoptic fibre connections you can access the other by using the internal Hyperoptic IPv4 addresses that are given to their routers (in 10.0.0.0 range). These internal Hyperoptic IPv4 addresses seem fixed. These IPs have not changed over multiple reboots.

The other approach to reach your server is to use a reverse SSH tunnel from home server to one with a fixed IP such as a VPS. Using a Softether VPN ( the easiest of VPNs to set up) we can have full access to the network. To automate this I use autossh, set up in /etc/rc.local rc.local is now depreciated but I find it easier.

autossh -M 0 -N -f -o “ServerAliveInterval 30” -o “ServerAliveCountMax 3” -o “PubkeyAuthentication=yes” -o “PasswordAuthentication=no” -i /root/.ssh/id_mykey -R 50020:localhost:5555 user@mydomain -p 2526 & This connects the remote, behind the firewall machine (usually a Raspberry) Pi to my VPS SSH port 2526 using the key id_mykey. The VPS now has the the 50020 as a tunnel back to the remote machine’s Softether default port 5555. A Profile on Softether client on any device can be set to connect to mydomain port 50020 (if port open or localhost:50020 to tunnel the port via SSH)

I was also using the reverse tunnel to connect to a 4g router. This is a 4g dongle attached to Raspberry PI as part of a remote ham radio project. I have no space in London for antenna. I was to run Remote Rig though the tunnel but 4g latency was the problem.

https://bulger.co.uk/message.htm

Working from Work: Access your home PC as a Web page from anywhere.

Screen shot of my PC logged into my apartment’s PC as a web page. I can do this from work

Thininfinty Web login

Working from areas with tight security and behind firewalls which you cannot control can be very problematic.  Some places the blocks are simply too clumsy, making internet connection almost useless. Even medical sites such as dermnet.nz can get blocked (skin tones=too much skin). Or using medical terms such as “Oral” too much. So safely log into your home computer.

The simplest and secure solution, that does not imply any hack, download or compromises the security of the work site, is to connect to your outside home computer using a web page, port 80 or better port 443 (https, encrypted).  Those ports are never blocked.  This method does not require ANY software installation at the work end.   You are simply viewing a web page on any browser. You are not downloading or introducing anything of risk to the work system.  No malware can pass.  

The setup is to uses Thinfinity.   This offer a fast VNC like connection to your home computer using a web page alone.  Once installed on the home computer, at work just type in the URL or IP address of your home machine on the work PC’s web browser, eg   https://10.20.30.40/ or something like https://myhome.mydomain.com   

On your home router you will have to port forward port 80 or 443 to your home computer that is running the Thinifinfity workstation server, and that machine needs to be left on!  Give it a strong long password.

The non-commercial single use workstation license is free.

That’s it.

You can then look at all emails, all files, one drive, dropbox, edit stuff and post to NHS email address, and even use WhatsApp messaging that is connected to the phone left in the car.

I set it is as a subdomain of my own domain, so it can share the site’s lets encrypt SSL certificate.  You can use http, port 80, but it is not encrypted. Thinfinity have their own certificate system for https, but that requires connecting to their servers, which could get blocked, and the certificate did not work when I tried.  Domains can be created for any home router using dyndns or similar products, but I feared such domains may be blocked, so I used my own.  You could use the home IP address if it is fixed.

To untrained it could imply a security worry. From work, via this system, you can see on your home computer thus any site or file, such as time-wasting Facebook. But we are responsible professionals and just need access to all our clinical stuff.   

There is no record on the work computer or knowledge what sites your home computer has been looking at.   The work computer just sees the connection to a single domain or the IP address of the home machine as a single encrypted web page. All its doing is sending a screen image.

When logged to your home PC via Thinfinity in there is a hidden menu at the top middle: clicking on it you can scale the screen to fit the browser window. You may also need to hit refresh there if not seeing a window.

Gerry Bulger

Contact https://bulger.co.uk/message.htm

Older links on similar subjects

http://bulger.co.uk/satellitecost2.htm

http://bulger.co.uk/softethervpn.htm