In case anyone is wondering about the state of L2TP on Linux: this is L2TPv2, which is not quite as common anymore. I am using "xl2tpd" downloaded directly from the upstream site, and compiled it myself, selecting their userspace implementation of L2TP because there is apparently a bug in the kernel version.
I also had to hack the configuration parser to not read "#" as a comment, because my password has a few of those in it :(
There are patches out there that claim to add IPv6 support. It turns out this is not necessary, as I suspected. The patches are for running the *tunnel* over an IPv6 network. Transport of traffic *inside* the tunnel is handled by the kernel PPP driver, which has supported IPv4/IPv6 for a long time.
So ... once again, if anyone wants to run a "home data center" or anything else that requires static IP addresses with no port blocking, I continue to strongly recommend aceinnovative.com Static IP VPN product. It is excellent.
5 Mbps, /29 IPv4, /64 IPv6, tunneled back to their data center using a router they provide at no additional cost, $15 for home users, $25 for business users.
I am a very happy nerd right now. I will probably run things like this for a couple of days just to make sure there are no other issues with the virtual router, and then send everything back over to the raised floor.
Since you have access to a air conditioned datacenter, i have something you can plug in for me. Its cooling fans are a little noisy but wont take up hardly any bandwidth when running. a few M a day at the most.. And in a full sized DC you wont hear the noise anyway.
Regrettably, I don't have carte blanche to just throw anything in there.
I am thankful to have my one 2U server, and I don't make a lot of noise about it. It's hosting an open source project, which is reasonable since I am an IT Architect and it's a great way to keep the skill set up to date.
One of our big lines of business is disaster recovery services, so I happen to know quite a bit about that. I maintain that kind of practice for my own servers. Now that the VPN router is virtual, I can replicate it to the recovery site (my home) along with all of the other VMs, and everything just runs wherever it happens to be.
I dont know what it is, it has a sign that says 'antminer' :) Nah, id not actually seriously ask anyone to do that, they suck a lot of power at full speed ( about 2k watts each box, which i cant do here without melting my power bill, so only running one these days, low hash rate ). but having free power and cooling would be nice :)
Buying solar panels and batteries one at time to put up next year for at least one of them, still at a low hash rate tho. But i'm still tied to weather as they are in the garage, to keep them out of the weather. Ifit gets above 90 i have to shut them down. ( or move them inside and heat my house up, and run my AC costs up ). Except for the noise, they make great space heaters in the winter tho.
Every time i see a empty power socket in the park or a solar farm or something i keep thinking, i wonder if i could back the jeep up to it and plug in for a few hours. lol
Would love to be able to run 1000 of them in a building. make it a full time job.
Sat Sep 18 2021 11:48:06 PM EDT from IGnatius T FoobarIs it a Tor exit node? :)
So ... once again, if anyone wants to run a "home data center" or
anything else that requires static IP addresses with no port blocking,
I continue to strongly recommend aceinnovative.com Static IP VPN
product. It is excellent.
5 Mbps, /29 IPv4, /64 IPv6, tunneled back to their data center using a
router they provide at no additional cost, $15 for home users, $25 for
business users.
How much stock from Ace do you own?
My country counts as a technological shithole and we can still get public static (or pseudostatic) IP addresses with no port blocking or anything. Me get some traffic throtling if we abuse some protocol, but that is to be expected. I mean, not many users have a legit reason to deliver 400 emails per minute...
Im not 'back woods' and here, our entire neighborhood is NATed by default. So no direct open ports for you unless you pony up more $. Sure its doable, but then you are getting into business service territory, and doing the VPN may be cheaper, or at least competitive, AND you dont risk your home connection to DoS attack.
My hosting provider for web/email ( business class ) limits number of emails going out, unless you pay more. Hell even O365 has limits that prevents me from using it at the office for the application i support ( i send out perhaps 300k messages a business day.. easy )
How much stock from Ace do you own?
I think they're a privately held company, actually. They're just an ordinary service provider in NYC. From 2001 through 2009 they were my ADSL provider at home, static IP and no port blocking in a place where that was not a common practice. Then when everything went to fiber, Verizon pulled a scumbag move and declared that fiber didn't count as one of the unbundled elements they were required to offer as part of the 1996 deregulation agreement. This of course screwed all of the CLECs who depended on Verizon for the last-mile attachment.
The static IP VPN service is basically their way around that problem. It basically uses the Internet itself as the carriage between them and the subscriber.
In fact, as far as I can tell, it lands the subscriber on the exact same access server they are using for ADSL subscribers, but instead of the L2TP connection coming from Verizon, it comes directly from the subscriber's physical location over a third party network.
This works well for me because the *actual* location of the servers has some protection from anyone who might want to inflict harm upon it. It's capped at 5 Mbps and there are no inbound ports open. Last year I was frightened by a spam email, which turned out to be a hoax (as they usually are), that claimed I was going to get a massive and sustained DDoS unless I gave them a bunch of Bitcoin. As unlikely as this was, I couldn't take a chance, because I am employed by the company that operates the data center, and that would have attracted a lot of undue attention -- even though I have permission for it to be there.
Now, all of my web properties are in a network address space owned and operated by Ace, regardless of where the physical servers are actually connected. And furthermore, now that I've virtualized the router, I can move everything between physical sites just by copying over all of the virtual machines and spinning up the virtualized router in whichever location I want to run.
All of this is to say, I have no financial interest in Ace, I am just a very happy customer. I want other people to subscribe to their service because I want the service to be around for a long time.
Agreed. I am not backwoods either - and have the same issue as Nurb. In large metro areas, if you want a static IP that you can open ports on to host, you're considered a business, and you pay business rates.
Even for a little hobbyist Citadel BBS.
Ace resolves this. They sent me a router, I hooked it up, asked them a few questions, got everything sorted and it just works. I pay $15 a month, they don't ask, I don't ask - my ISP just sees a VPN tunnel. It is all pretty awesome.
Mon Sep 20 2021 15:39:44 EDT from IGnatius T FoobarHow much stock from Ace do you own?
All of this is to say, I have no financial interest in Ace, I am just a very happy customer. I want other people to subscribe to their service because I want the service to be around for a long time.
So i have to ask, how did you pull off doing it in a vm.
While i have business class fiber so i dont *need* it. Might come in handy in the future.
1. Subscribe to the service and test it with their router.
2. Ask them for the tunnel passwords, get a reply that they don't support anything except their own router, promise to not ask for support, they eventually supply the passwords, but not before I did a password recovery on the router and extracted the tunnel credentials myself.
3. Install a virtual machine with interfaces on two networks: one to the public Internet, and one on the network where the hosted servers will live.
Mine is running Ubuntu 20.
4. Install "xl2tpd". I had to install it from source, for two reasons: (1) there is a bug in the kernel L2TP that makes it not work right with this service, but xl2tpd can be compiled to use its own userspace implementation; and (2) my password has some "#" characters in it, and I had to disable that being parsed as a comment.
5. Install pppd.
The stock one from the repo is fine.
6. Set the inside network interface to the IPv4 and IPv6 gateways for the hosted network.
7. Configure L2TP and PPP. This takes a *lot* of fiddling around, because Ace does something a bit weird: they use *different* credentials for the L2TP session and the PPP session.
(A side note here -- they actually set up two tunnels, one for router management and one for you to actually use. You can disable the management session and use it as your first test.)
Therer are a lot of PPP options to mess around with. Basically you have to tell it that you don't require authentication from their end, but we do have to send authentication to them, using CHAP. And you want to tell it to let the other end set both the local and remote ppp interface addresses, for both ipv4 and ipv6.
I added a script of my own to /etc/ppp/ip-up.d/ that handles a bit of routing. Basically I have it sending all traffic through the tunnel except for the tunnel endpoint itself. I will probably play around with this a bit. I'd like to try moving the ppp interface and the inside network into a separate namespace once the tunnel is established, so the VM itself still has Internet access. Oh, and you have to enable IP forwarding on the Linux machine, of course.
Obviously, the message for most people here is "just use their router, it's easier". And it really is. I went through all of this work because (1) I wanted to send the workload over to a place where I could not send the physical router; and (2) I am just that kind of nerd. Most people who subscribe to this service will probably be like PD, with separate server hardware attached to the switch ports on the router, and very happy with that arrangement. For me, with decades of data center experience, the virtual overlay network is more to my liking.
But if anyone *does* want to do it my way, I would be happy to share an image of the virtual router.
Cool. While it would not be my first choice, but it could provide an option in a pinch where moving their router wasn't practical. If i ever needed to go down that route. The 2 things that is appealing to me would be not having to expose my home IP, and the 5mb bandwidth limitation to avoid a general DoS.
lol. ran across a set of netware 3.2 manuals and guides in the garage. ( i was a certified netware dude at one point in the 90's mostly useless but it did get me one job i guess )
no, wont donate those, into the recycle bin they go.
Never noticed this, but apparently my VPN service i use offered a 'static ip' option. Was setting up my phone and saw the option " apply key here "... Might look into that to see how much, could be an option to stick some of my servers back on the open-net and not get DoSed to death. ( they are openvpn based, so no funny stuff needed )
I sent a note off to there support people. Will let you know what they say.
I was looking at AWS pricing the other day, looks like its somewhere around 70 bucks a year for a 'base' Linux VM on EC2. I wonder if that might not be an option?
Sun Oct 10 2021 05:15:01 PM EDT from IGnatius T FoobarFind out if they allow servers. I haven't found anyone other than Ace who allows servers, and I would love to have a backup option in case anything ever happens to Ace.
Looks like its 'outbound' only for the time being, but may be on their radar at least..
"I appreciate your interest with our Dedicated IP, however port forwarding is not yet supported for this feature. In addition, web hosting though may be possible with using our VPN at some point, this is still not supported on our end. "
So this reads, "You can do it, but we don't want to know about it, and we won't help you if it doesn't work."
Sun Oct 10 2021 18:20:13 EDT from Nurb432Looks like its 'outbound' only for the time being, but may be on their radar at least..
"I appreciate your interest with our Dedicated IP, however port forwarding is not yet supported for this feature. In addition, web hosting though may be possible with using our VPN at some point, this is still not supported on our end. "