Why still run a VPS ?

and VPN Connections speeds using a VPS server

Why do I bother run my own Virtual Private Server (VPS)?

I do ask myself why I still bother with running a VPS on IONOS. I no longer have a business to run, so the old web pages are an archive now. I thought old URLs should never die (*).

I am often tempted to shut the VPS down and use email only service providers. They seem to be as expensive, even more than running as VPS that can run the email. I need 50Gb for each email box. Emails are a useful personal archive; ours goes back to 1992.

Running an email server on a VPS can be problematic. Both Google and Microsoft impose their email server monopoly on security grounds. Rarely they have blocked whole swathes of Internet Service Provider’s addresses, with no notice or explanation. I assume just one of the ISP’s customers has been naughty by sending out spam. It can take a day of two to get unblocked from these secret blacklists. I hope I have not jinxed it but the last such episode blocking email was over a year ago. This big-boys IP blocking was never reported by blacklisting sites such as MX toolbox. One needs to avoid getting on any blacklist lists so chose ISP carefully. Set up SPF DMARC DKIM and even DNSEC. All would be quite fiddly if it was not for the likes of PLESK to set up and control your VPS.

Plesk is very expensive when sold as a stand-alone, personal purchase, but cheap when it is part of the ISP VPS package. Always buy with a VPS server with cPanel or Plesk.

What do I still use VPS for?

1. EMAIL The advantage of running an email is you are your own man in the middle, your data is not being mined. You are in control and back up. I spoil the lack of data mining by having my google Gmail account pop read all the incoming emails. Searching of email is so much faster and intelligent with Gmail than directly searching on the server or Outlook. Gmail then is one of the backups. I also backup the entire server and settings to Dropbox. Tight fail2ban rules are essential for email servers and PLESK sets that up easily.

2. A Virtual Private Network VPN when abroad keeping a UK IP address is very useful. To use a VPS as a VPN is a cost saving, as a commercail VPN service can cost as much as a VPS, but you can do more with a VPS. The VPS’s IP is not recognised as a likely VPN address and has never been blocked as being from abroad; the IP address does not belong to any of the major VPN providers. Again, you are not being mined, logged or surveyed with your own. I use Softethervpn on the servers and Raspberry Pis as it is so much easier to set up and can use OpenVPN. Softethervpn even makes a client OpenVPN script to do so. Beware VPNs do not route IPv6 well, so to ensure that seen to be a UK address turn off IPv6 on your PC when abroad.

3. SSH tunnels and reverse tunnels. Some of my projects have no inbound route (say they are on 4g). Using autossh on the remote site will open a port on the server to connect to the remote site to use for anything, including VPN connections. SSH needs care: I change the default port number of SSH, run fail2ban and of certificate only, no password logins are allowed.

4. SOCAT. This is a useful programme if you want to reach the fixed IPv6 address from IPv4. One of my places has no fixed IPv4, no route from the internet (CGNAT) but has IPv6 allocation. Opening IPv6 pinholes on that router I can can access multiple devices from the internet, even using the same port number, at the remote site. Alas, some business networks, hotels and phones are still not routing IPv6. So I need to direct the request to a VPS server port, and the configured SOCAT will read IPv4 and forward on to the remote reachable IPv6 address.

5. Web Server. Setting up web pages. Social media has reduced the need to have a vanity domain and web pages as I set up long ago. For email alone one needs to get a proper a wildcard SSL certificate. You can then use that certificate on any machine (some are RaspberryPis) once using by the same domain or subdomain. Plesk makes setting all this up easier.

6. Frame forwarding. One can set up a subdomain and the point to a port to the server which is connected to a website elsewhere (such as a raspberry Pi) eg https://yell.bulger.co.uk is frame forwarded to a port on the VPS which has been autossh connected by the raspberry Pi in Shetland.

7. Never run TOR on a personal VPS server!

G3WIP

*Old URLs should never die, expect in Australia.  If a business stops trading or reduces to itself such that it no longer has an business number (ABN), then the domains .com.au have to be deleted by the registrar, along with email and contacts.   This is quite nuts.

VPN Connection Speeds

I use my own servers to double up as Virtual Private Network VPS servers. I also use RaspberryPis.   Seems safer and reliable to me than the commercial VPN offerings.  Nowadays it is quite cheap to set up the most basic internet based Virtual Server  (https://www.ionos.co.uk/servers/vps) .

I have used Softethervpn  https://www.softether.org/  as was the easiest to set up on the Linux servers and has many features and offers different protocols.

Then there was a claim that WireGuard was a faster protocol, so I thought I would check it out.  Thanks to a nice script is now also a doddle to set up: https://github.com/angristan/wireguard-install on my servers.  Beware a “feature” is that the Wireguard client looks as if it has connected, creates a default route to nowhere, when there is no connection.  I thought it was not routing, it was much simpler than that; it had not connected at all. I had a firewall problem.   Wiregaurd should change the route until there is a connection.

I put WireGuard   https://github.com/angristan/wireguard-install server on Ubuntu VPS and a domestic RaspberryPi  using the same script. 

I am using my Windows 11 as the client at home

I turned off IPv6 (not all VPNs route or block IPv6). I tested various protocols to my VPS server (UK to UK).  The server is said to have a 3GB connection

Speedtest to the same end point averaged as follows:

Straight connection with no VPN on my fibre line gives 980Mbps.  Upload and download speeds were always similar.

SocksProxy using SSH (secured; key-only authentication) connecting to my VPS server came out best to my surprise.  I thought there were limitations to using a Socks proxy. Normally I used Seamonkey Browser to use this proxy tunnel, not all of windows.  It averaged 600Mbps.  When I set windows itself to use this proxy tunnel the speed was 680Mbps.

SoftetherVPN with its own protocol and client 460Mbps

WireGuard 280Mbps

Open VPN 150Mbps

L2PP/IPSEC    140Mbps

IPv6 and VPNs is a whole new ball game, and I do not know the rules.  At least WireGuard using this script prevented IPv6 direct routing to the internet (stopping a leak bypassing the VPN) when Windows has IPV6 on as does Socksproxy.  This is useful.   Better if ALL traffic, IPv4 and IPv6 is be routed via a VPN, I am not sure how to achieve that as yet (see such discussions https://www.reddit.com/r/WireGuard/comments/mg9mlp/ipv6_routing_subnet_through_wireguard/ ).  Currently with my setup with WireGuard VPN and other VPN protocols do not find sites by IPv6 address.

My conclusion is that I will use the Socks Proxy via SSH proxy more often. This little script below simplifies switching the proxy on and off.  https://github.com/zubir2k/WindowsProxySwitch.git  although  it offers no choice as which proxy to use if you have more than one set up.

Fibre and Phone Broadband Routing IPv4 & IPv6 to home machines & servers: Hyperoptic Router Fixes

Our central London apartments have 1GB fibre connections with Hyperoptic which are reliable and fast. We get the speeds advertised, and at one our flats it is even a little faster. Ping is time 1ms. With such fast speeds, upload as fast as download, it is tempting to run servers at home and run a private cloud. The snag is the devices at home are not reachable from the internet using IPv4; the home routers are behind CGNAT, just as phone companies do in order to share the rationed IPv4 addresses and protect their network. You can pay Hyperoptic and other fibre companies extra each month for a fixed IPv4 address that is then reachable from the outside using IPv4. You may not need to. Better to use IPv6 anyway.

Home devices can be reached by IPv6 addresses from the internet which when calling from an IPv6 enabled network. IPv6 is fixed and we are given a whole reachable subnet. Then we can set the home router’s IPv6 filter; that is open pinholes or IPV6 filter rules to local devices’ IPV6 address and ports we want. We can now have multiple reachable devices from the internet and even using the same port, say port 443, as there is no address sharing (NAT).

There has been a snag using Hyperoptic routers, even their latest H3600 router when it comes to IPv6 routing. Many customers give up and buy their own routers. The Hyperoptic router manual has incorrect instructions for IPv6 filters. The first thing to note that the “LOW” firewall setting does not seem to affect IP4 blocks and port forwarding rules, but low does open all IPv6 devices on the LAN, so an open port of any device is reachable on the internet in IPv6 addresses. Not a good idea. But middle and high settings are fine, I set mine to high so all ports are closed unless defined by the filter rules.

Now adding filter rules was a pain, and it took me a day to realise why some rules worked and others did not. The IPv6 filter rule secret is NOT to declare the incoming port. It you put a number in there the rule is ignored.

Connection works from IPv6 enabled networks away from home. It does not always work from some workplaces or from many phones because still some ISPs still use IPv4 only routing. To solve this I use another server (my VPS) that has fixed IPv4 and IPv6 connections I use the VPS as a middle man to “cat” the connection from IPv4 to an IPv6 address. I can access home systems anywhere and can give my home machines domain names IPv4 and IPv6 with DNS entry. On this middle machine, a Linux site (a VPS) I use SOCAT command with the IP and ports I want like this:socat TCP4-LISTEN:9831,fork,su=nobody TCP6:[2a01:4b02:a40a:4b10:af9b:c59c:b1b8:2e7x]:2529. Connecting to MyVPSserver:9831 using IPv4, connects to my a home device on IPv6:2529. I run a VPN though it (SoftetherVPN). It’s magical (don’t forget to open the port on the middle server if needed). It is very fast, I do not notice any degradation. When using Myvpserver domain I set DNS A (IPv4) to the VPS server and DNS AAA (IPv6) direct to the home device IPv6 address.

As it happens I found that if you have two places with Hyperoptic fibre connections you can access the other by using the internal Hyperoptic IPv4 addresses that are given to their routers (in 10.0.0.0 range). These internal Hyperoptic IPv4 addresses seem fixed. These IPs have not changed over multiple reboots.

The other approach to reach your server is to use a reverse SSH tunnel from home server to one with a fixed IP such as a VPS. Using a Softether VPN ( the easiest of VPNs to set up) we can have full access to the network. To automate this I use autossh, set up in /etc/rc.local rc.local is now depreciated but I find it easier.

autossh -M 0 -N -f -o “ServerAliveInterval 30” -o “ServerAliveCountMax 3” -o “PubkeyAuthentication=yes” -o “PasswordAuthentication=no” -i /root/.ssh/id_mykey -R 50020:localhost:5555 user@mydomain -p 2526 & This connects the remote, behind the firewall machine (usually a Raspberry) Pi to my VPS SSH port 2526 using the key id_mykey. The VPS now has the the 50020 as a tunnel back to the remote machine’s Softether default port 5555. A Profile on Softether client on any device can be set to connect to mydomain port 50020 (if port open or localhost:50020 to tunnel the port via SSH)

I was also using the reverse tunnel to connect to a 4g router. This is a 4g dongle attached to Raspberry PI as part of a remote ham radio project. I have no space in London for antenna. I was to run Remote Rig though the tunnel but 4g latency was the problem.

https://bulger.co.uk/message.htm

Three Broadband 5G. Atrocious upload

Update on 5g Three Broadband (as was Relish broadband)

See 2015 blog on the 4g Three Boadband product

I get on the phone to dump Relish (Three Broadband), giving up the £30 a month contract after some years with them.  I was getting better connection and upload speeds on my phone.  My phone uses the same Three’s Network 4g or Vodafones’ 4g (it’s dual sim).  Setting my phone as a hotspot was better than using the Three home broadband hub. Time to give up on the 4g Relish (Three) home broadband hub.

Three Broadband then said 5g was now in my area, so I was sent the new Huawei 5g hub/router (over £350 to buy).  My testing went ahead using wired ethernet from hub to PC.

5g is only JUST available in my flat in only one spot, at an impossible to mount area within one bedroom.   Then it seemed that if I made any adjustments to the router firmware, such as change the LAN IP range, the router lost its ability to find the local 5G signal.  It would only find 5G tower after a hard reset.  That is all support would suggest.

Huawei H112-370.

The best 5g I got was with the hub router propped up on books in one precise spot was 100MB/s.   What was most disturbing was the fractional upload speed, best at 2.8Mbs.   Everywhere else in the flat is it the hub dropped down to 4g but at least that gave better upload speeds of 4-6Mb/s

Best with 5g:

Best 5g in area and 5g Area in our flat near window, pointing at local tower.

Three Broadband will not tell you what upload speeds to expect, talking rubbish that it depends on various factors, but those factors would also affect download speed, although I accept transmission power is lower from the hub. One the other hand power is needed for reception’s download handshaking so I would have thought factors affecting download would affect upload to the same extent. Perhaps 5g is more complex.

Three Broadband refuse to give any indication of an upload guide number, and simply state “it is not guaranteed”. That is all they will say.   Three Broadband’s refusal to give any technical details to users is something Ofcom should look into.  We should know what we are buying.  Upload speed and with latency are crucial factors for a useful broadband connection; download speed is just on factor and is a bigger number.  It is the only one they like to headline.  Funny that.

They probably refuse to quote any number because upload is deliberately throttled.   This was the case with their original Relish 4g hub (again this was never mentioned anywhere on their web site).  The best upload speed I got on 4g on Relish hub was 8MB/s despite downloads of up to 72Mb/s .   Most 4g SIMS in phones are pretty much synchronous, you get similar upload and download speeds unless the network is busy.   I gather some “5G” systems split upload and put upload back onto 4g.  Perhaps this is what Three does, but seems slower than when the hub is using 4g. All very odd.

The hub is not locked, so I was able to put my 4g Vodaphone SIM in the Huawei H112-370 hub this afternoon, a busy period in central London (things here speed up evenings and weekends).  This afternoon it gave 72Mb/s download and 20Mb/s upload.

Vodaphone 4g sim in the 5G hub. Note upload speed

Using 4g Vodaphone sim in the Huawei hub this busy afternoon in central London.

In the evenings on 4g phone sim I often get 98Mb/S with 70Mb/s upload, or uploads can even faster than download.

So I am sending back the Three Broadband 5g hub.   5G is hardly here at all, and upload speeds are atrocious.

5g here is giving 100Mb/s download with upload throttled to 2.8Mb/s, that upload speed is a fraction of what normal 4g offers.   There is no question that the better option is still 4g and is cheaper.  I plugged in a 4g USB modem into my Draytek router with a Smarty sim, which gives unlimited data, decent upload speeds at £20 a month no contract. Done deal while waiting for the block to get fibre installed.  Hyperoptic fibre cable is synchronous and we get at our other flat 700Mb/s up and down with low pings.  5G can wait because there are some nasty marketing practices bordering in fakery here. Deception of customers by deliberate omission, made worse an outright REFUSAL by support team to state the facts.

Gerry Bulger

https://bulger.co.uk/message.htm

Relish (Three) Broadband. A 4G Alternative to wired connections in London

Relish Broadband and Hyperoptic Broadband

https://www1.relish.net  Now  https://www.threebroadband.co.uk

While everyone goes on about the countryside having poor broadband, it’s here in central London, EC1, that has terrible domestic broadband connections.   Here with BT or Sky the download speeds are never greater than 7mbs down and 700kbs up. There is no fibre here, no Virgin cable. Blocks of flats have real issues.

At last out block may yet get Hyperoptic broadband cabling.   We have this at our other apartment. Although fast is had similar issues.

When Relish Broadband came along offering high speed, up to 50mbs using  a dedicated 4G network in EC1 at only £20 a month unlimited use, I jumped at it.

Alas there is no free lunch.  Here is my list of Relish issues that Relish/Three broadband does not tell you, or is so hidden in small print that you will miss it.   Now that Three have taken over, nothing at all has changed:

  1.  You cannot put the Relsih 4G SIM in any other device than their hub/router (This is in their T&Cs). You cannot for example put in in a 4G dongle.
  2.  The router/hub is locked down. You cannot change much at all.
  3.  The Relish router/hub does offer dynamic IP name assignment with DYNDNS and others, but those will not work unless you buy a fixed IP address!
  4. As above you cannot reach your hub network from the internet because Relish uses CGNAT thus hiding you within their private network. To have normal home broadband you have buy an IP address; that is get the business package.
  5. The router/hub uses Network Translation (NAT) ONLY. The other options are greyed out, so you cannot set it to route the one IP address, and use the router as a modem, which I would much prefer to connect it on to a proper router.
  6. There were sudden drop outs in connection causing pauses. This problem persists but is now much less often after a firmware upgrade.
  7. No IPV6 support.  Does seem to be planned either!
  8. Asynchronous.  Upload speeds very poor, 4MBs 

At first the service was terrible and hardly worked at all, but I stuck with them. To be fair you can send the hub back and cancel the contract at no charge within a month, so you can test it out for free.  The help line advice was just to give up and send it back!  I wanted it to work. After six weeks the poor signal strength shot up and I was getting speeds of up to 60mbs down and 10mbs up. Almost Korean speeds.  During busy times, which here in is during the day, it can fall to as low as 8mbs down and 4Mbs up for short periods. Still, these speeds much better than Sky.  And it is unlimited.

Relish marketing have designed the package to be plug and play. That is all very well, but what REALLY annoys me it that there is no technical information page. It’s take it or leave it attitude.

They describe it as home broadband without wires, but the basic package is not. Their advertising is naughty, especially as there do not give any of the details on their web page of what the service actually is. There is no reason to hide the truth as it is still good value.

The base package is not home broadband as you cannot reach your home from the internet unlike all most wired services, except hyperoptic.  This could lead to other problems with games and any home cloud you have. Relish uses Carrier Grade Network Address Translation (CGNAT). In effect you are on their private internal network. You do not have a reachable IP address, so dyndns and similar services will not work. This is in effect double NAT. This does not seem to be necessary is IPV6 is coming along allowing everything and everybody to have an IP address. But CGNAT does act as a nasty block from the internet to your home device. Some might like this double firewall.

Hyperoptic are almost as bad as they too use CGNAT  so you cannot teach your 1Gbs router from the internet. So you had to buy the fixed IP4 address.  But at least with them IPV6 is now rolled out, so should not be necessary, but their router is clumsy handling it.  Hyperoptic is fast, low ping and SYNCHRONOUS !   £60pcm for full service and phone.

Hyperoptic today on Rasperrypi:   Download: 167.71 Mbit/s 
Upload: 226.71 Mbit/s

At the start I fought with Relish their terrible help lines, and to their credit they offered me a business IP address, so I can reach my router here. I now pay £30pcm no phone

I wish that these businesses they could have the courage to be more honest on their web pages about the product and give much more technical info.  They to sell their products as if a fridge.  You plug it in and forget.  For a business environment that’s not good enough. 

It’s still good value.  Its working pretty well, usually very fast but had the occasional drop-out, but that issues seems fixed.

Three Broadbnad, Relish is now stable (May 2019) useful and fast enough.  A few times it does drop to 6Mbs which is the TOP speed we get on our Sky/BT lines, but averaged 40Mbs.   Relish/Three still lacks IPv6 support and this is becoming an increasing problem.

Test Relish on Raspberry Pi  Relisj? Three:  Download: 33.08 Mbit/s Upload: 3.83 Mbit/s

I have two connections at at this apartment. Slow Sky (6Mbs), Broadband and Relish.   For me Sky Broadband is now the spare connection (failover) should Relish fail.  This is switch is automatic; The Draytek Vigor 2860 router I have does load balancing and failover.   Sky has IPv6. Three Relish does not. I cannot IPv6 at all use as default routing prefers IPv6, forcing the router to use the slower connection.