VPN to home

I have gigabit internet. It has long been a dream and so when it arrived I pounced at the opportunity. There was unfortunately a drawback, in that the provider uses CGNAT. Carrier Grade NAT is NAT as we all know it, but on an industrial scale. It’s used mostly by the mobile operators to reduce the number of IP addresses they need to own, but fixed line operators are getting in on the act. The big drawback if you run a home VPN server is that it wrecks dynamic DNS solutions.

I pay extra for a static IP address. There are technically solutions that shouldn’t require this, but they require effort and hacking around with software that I just don’t want to do. Anyway, it doesn’t cost much to have a static IP. After the ISP asked me a few questions to make sure I wasn’t just chasing something I didn’t understand, it was set up within hours.

My router is a Netgear Nighthawk R7000 with builtin VPN server. Unfortunately it’s a bit old, and not quote as secure as the people that maintain Linux packages would like, and so by default they don’t let me connect my Linux laptop to it. Most advice you find will say “use a larger key”. Well, I can try petitioning Netgear, but I double that they’ll update the firmware, so I am stuck trying to convince OpenVPN to let me connect.

Well, here we go again. 100s of forums and comments later, I finally have the magic incantation. Edit the file ‘client2.ovpn’ that you obtained from the router and add the following (replacing the redacted IP of course):

tls-cipher "DEFAULT:@SECLEVEL=0"
tls-version-min 1.0
route-gateway 192.168.xx.1
data-ciphers AES-128-CBC

I’m not giving much away with that IP, after all it’s the same one most of us have. I just randomise the penultimate digits to avoid clash with whatever public network I happen to be going over.

Simply put, this is telling OpenSSL (the underlying library used by OpenVPN for encryption) to allow lower security levels and telling it where to route packets. The last part is a rename of the existing ‘ciphers’ section, because for some reason it needs to be renamed.. Ugh, I don’t know. Just do it, it works.

I don’t need to do any of this on any other platform. I guess Linux is that good.

Linux encourages more reading. Reading is good.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s