[TriLUG] Getting around ISP port blocks with VPN?

Aaron Joyner via TriLUG trilug at trilug.org
Thu Jul 23 09:17:35 EDT 2020 

Managing persistent SSH tunnels from a cloud instance to your home, for
forwarding incoming traffic, would be quite a pain.  Lifting your
locally-hosted applications into the cloud is probably the right choice.

If you really do want to store the data locally but direct the traffic from
an external cloud instance (Linnode, AWS EC2, GCP GCP, etc) then you'd
probably want to use an IPSEC tunnel (GRE would be simpler, but the
security of IPSEC is cheap and useful).  Set up the cloud VM, then create
an IPSEC tunnel from it to your home, and use some basic iptables port
forwarding to get the traffic to flow from the cloud IP to your home.
Researching the details to build a working config is left as an exercise
for the reader.

As Michael points out, it's probably not necessary, as most residential
ISPs don't filter incoming traffic.  Do note that if you want to receive
mail on port 25, some cloud providers don't permit incoming connections to
port 25, as an antiabuse measure, so that plan might not work.

Best of luck!
Aaron S. Joyner

On Wed, Jul 22, 2020 at 10:42 PM Stephen Bryant via TriLUG <
trilug at trilug.org> wrote:

> Hey Brian,
>
> I believe a reverse SSH tunnel would do what you’re looking for. I use one
> to access my storage server that lives at my brother’s house (lucky bastard
> with gigabit FTTH…). Basically, the server I have on his network initiates
> an SSH connection to a Linode VPS I have, listens to any requests made to
> the Linode on a given port, and then sends those requests to a port on the
> local server.
>
> As Michael mentioned though, you’ll want to check which ports are actually
> restricted by your new ISP. For example, the only thing my ISP blocks is
> port 25. That only matters for email, and I wouldn’t run email on a
> residential IP anyways, since I can’t control the rdns.
>
> Stephen
>
> > On Jul 22, 2020, at 4:58 PM, Brian via TriLUG <trilug at trilug.org> wrote:
> >
> > Hey Gang,
> >
> > I currently have business-class cable internet.  I've been thinking
> about dumping it for residential fiber.  What I'm trying to figure out is
> the best way to deal with possible port blocking that might be in place on
> the residential services.  Having a secured tunnel to some public interface
> out in the cloud somewhere seems like a possible approach, but I don't
> really know what words to use to describe it to Google well enough to find
> people selling such a thing.
> >
> > Presently my home server/firewall simply has a public interface with
> ports open for the services I host.  What I imagine is instead there being
> a VPN (or some other secure tunnel) to a server in the cloud somewhere
> through which all my server traffic (i.e. connections initiated from
> outside) would be routed, thereby sidestepping any port blocks on my local
> ISP.
> >
> > Is this a thing?  What do you call it?  Does anybody on the list already
> do something like this?
> >
> > Thanks,
> > -Brian
> > --
> > This message was sent to: Stephen Bryant <stephen at stephenbryant.net>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that address.
> > TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web        :
> https://www.trilug.org/mailman/options/trilug/stephen%40stephenbryant.net
> > Welcome to TriLUG: https://trilug.org/welcome
>
> --
> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> https://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws
> Welcome to TriLUG: https://trilug.org/welcome

More information about the TriLUG mailing list