I should know that secure network connectivity is just one part of IT security. But it seems a VPN to my home is a little bit of an overkill. I’ve now got an OpenVPN server setup at home so that I can connect back home. The two services I use out of my home is SSH, for shell access to my Linux box, and IMAPS, which I use to archive mails to that same box.
Both SSH and IMAPS are already encrypted on their own. They should be quite fine without any additional encryption or VPN protection. In fact, I’ve been previously using SSH and IMAPS directly without tunnelling through any VPN. Just recently I got around having to install OpenVPN. It’s not because I needed that additional protection, but it’s that new circumstances with my network required that change.
You see, I got onto fibre broadband. The ISP provided me with a broadband router. That router wasn’t really great. You can tell some of that just by reading the specifications and comparing the listed features. But the problem is that there are more nitty gritty details that don’t get mentioned, and this router couldn’t do some little things that I needed it to do.
If you were to go out shopping for a broadband router, and you had some special requirements, you’d find it’s very difficult to figure out which router would meet those requirements. It won’t get listed on the box, on their website, and most likely not even something that reviewers will talk about.
For me, it’s this little thing about accessing my Linux box. Most routers can provide port forwarding features from the public WAN interface to NAT’ed hosts on the internal LAN interface. There are many names for this feature, but fundamentally most decent broadband routers will do this.
When you are connecting from outside (i.e. the WAN), you use the public IP address of your broadband router. When you connect from inside (i.e. the LAN), which IP address do you use? The simple answer is to use the actual IP of that server, i.e. the private IP on the internal LAN.
But this is troublesome for me. Imagine this, my mail client needs to be configured with the IP (or hostname) of my server. If that IP need to be changed depending on whether I’m outside or inside, it means I’ve got to keep changing my mail client’s configuration.
On my previous broadband router, it has this interesting behaviour. I configure my mail client to use the public WAN IP. That works, of course, when I’m outside. What if I’m connecting from the internal LAN? Well, the traffic gets routed to the broadband router, and it realizes that, hey, this traffic is for itself. Then, it applies the port forwarding rules, and sends the traffic back to the server on my internal LAN. Very nice. My mail client’s configuration is fixed, and it works regardless of whether I’m outside or inside.
This doesn’t work anymore on that broadband router that came with the fibre broadband setup. On the internal LAN, if I try to access the public WAN IP, the traffic doesn’t seem to get back to the internal server.
The not-so-elegant solution now, for me, is to configure my mail client to use the internal LAN IP of the server. I can access it directly on that IP when I’m home. When I go out, my notebook has to VPN back to the home server first, then the mail client continues to be able to access the server on its internal LAN IP.
Overkill for a VPN. Setting up OpenVPN on my Ubuntu box wasn’t as simple as I had expected it to be. But it makes my mail connection simple. I can also SSH in the same way, regardless of whether I’m home or out. A troublesome one-time setup, but simple to use thereafter.
ps: Tunnelblick seems to have gotten pretty slick. OS X Mountain Lion users will find that you’ll need the latest Tunnelblick beta.