[TriLUG] Getting around ISP port blocks with VPN?

[John Franklin via TriLUG]

On Jul 22, 2020, at 16:58, Brian via TriLUG <trilug at trilug.org> wrote:
> 
> I currently have business-class cable internet.  I've been thinking about dumping it for residential fiber.  What I'm trying to figure out is the best way to deal with possible port blocking that might be in place on the residential services.  Having a secured tunnel to some public interface out in the cloud somewhere seems like a possible approach, but I don't really know what words to use to describe it to Google well enough to find people selling such a thing.
> 
> Presently my home server/firewall simply has a public interface with ports open for the services I host.  What I imagine is instead there being a VPN (or some other secure tunnel) to a server in the cloud somewhere through which all my server traffic (i.e. connections initiated from outside) would be routed, thereby sidestepping any port blocks on my local ISP.
> 
> Is this a thing?  What do you call it?  Does anybody on the list already do something like this?
> 

A tunnel. You’ve got the right term.  A VPN service can do that for you, as others have described.  

Another option is to get an IPv6 /64 (or more!) from a tunnel broker, like Hurricane Electric.  https://www.tunnelbroker.net/ <https://www.tunnelbroker.net/>. If you go this route, then the connection out will be unencrypted at the network layer, but may still be encrypted at the application layer (TLS, SSH).  It’s possible for an ISP to do a deep(er)-packet inspection, see the tunneling envelope, and block based on the tunneled ports.  I don’t know if any of them bother.

The benefit of an IPv6 tunnel is each of your services (VMs) will have their own IPv6 address, the downside is they’ll be unreachable via legacy IP.

jf
-- 
John Franklin
franklin at elfie.org