Plan to build our own self-hostable VPNAzure Services #1473
Replies: 20 comments 32 replies
-
If you need help visualizing what I'm talking about, here's pictures. Single Server and Client. (Single User Scale or Private Service) Multiple Servers and Clients. (Large Scale or Public Service) |
Beta Was this translation helpful? Give feedback.
-
proxy protocol v2 is fairly recent beast. it allows encoding ssl parameters, but not many server software support v2. that's nitpicking, do not take it seriously :) thanks for your efforts, we'll drive it as much as possible |
Beta Was this translation helpful? Give feedback.
-
I'm open to any online event (I live in YEKT timezone, except deep night, I'm awake) |
Beta Was this translation helpful? Give feedback.
-
what your are describing usually called "vpn fronting", i.e. reverse proxy using https (or tcp + proxy protocol). not sure we'll benefit from using term "vpn fronting", naming itself does not change things |
Beta Was this translation helpful? Give feedback.
-
Lol ur awake. That's cool. Also I didn't know that term existed xD. But I still think it's worth a shot. Honestly it's probably what VPNAzure does behind the scenes anyway so what's the difference? |
Beta Was this translation helpful? Give feedback.
-
as for haproxy api, there's https://github.com/haproxytech/dataplaneapi |
Beta Was this translation helpful? Give feedback.
-
Documentation to keep track of for different Reverse Proxy products. At the end of the day, we only need to choose the one that works best.: Traefik Envoy FRP SSLH |
Beta Was this translation helpful? Give feedback.
-
What is the benefit of hosting a reverse proxy over installing softether server that cascades with your home server? |
Beta Was this translation helpful? Give feedback.
-
I really am going to test out SSLH. It seems like it has the best transparent proxy functionality which means there would need to be zero changes needed on the SoftEther VPN side. SSLH has the following major features needed to get this to work, such as-
PHASE I- Prototype & POC
(Btw, I am testing this on a SUPER cheap VPS that costs $2/mo. It's KVM but besides that it's very bare-bones. Which will mean two things. One, this works well with multiple clients on the cheap VPS and is a huge success. Or Two, where it works on the cheap VPS but performance is sub-optimal. Which just means a more powerful VPS or Dedicated server will be better for many clients. I usually get around 80 Mbps up/down on this provider's VPS so speeds should be good. I mostly concerned about latency, processing time, and dropped packets.) With all of that, you guys can test, review, and propose improvements and ideas on how to bring this to a more productive level. That will be for PHASE II. |
Beta Was this translation helpful? Give feedback.
-
PHASE II PRE-
This is it so far, so if anyone wants to try and work these things, feel free! This is all related to the SoftEtherVPN Server, Possibly using something like WireGuard standalone can fix these issues. However I love SoftEtherVPN and would prefer it and these issues are totally fixable. PHASE I CHECKLIST
|
Beta Was this translation helpful? Give feedback.
-
So I ran into a serious roadblock. I need to experiment to see if this is a SoftEther issue or a SSLH issue but the proxy is unable to interact with the remote VPN server (aka the client) SSLH spits out this
When I run I am going to try using WireGuard standalone. If that works I will try messing with SoftEther as the server again but we'll see. |
Beta Was this translation helpful? Give feedback.
-
Welp WireGuard does not work so SSLH is likely a false hope. While it works for local stuff it will not work for clients connected from a VPN. There could be a way but honestly idk. I might try again with HAProxy later. |
Beta Was this translation helpful? Give feedback.
-
HAProxy works. Now I just need to get transparent proxying to work. |
Beta Was this translation helpful? Give feedback.
-
Honestly I'm doing too much too fast. I'm going to take a break from this. What I learned is that Proxying is unnecessarily difficult for what it is and SSLH is good for local proxying and multiplexing. |
Beta Was this translation helpful? Give feedback.
-
Well I found the issue on SSLH... It was the Transparent part that's the issue. Which in a way is good because it's not necessarily a network limitation. However this limits the abilty to get the real IP. I am looking into Iptables stuff to maybe fix this but idk. |
Beta Was this translation helpful? Give feedback.
-
With transparent proxying off using SSLH, Here's the notes.
I plan to make documentation for two things.
|
Beta Was this translation helpful? Give feedback.
-
Yep, documentation is really wanted |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
Hello Everyone, I just wanted to let you know I am still working on this and have recently made many major breakthroughs in getting this working! While it's not perfect it works and is (in my opinion) much more functional and secure compared to VPNAzure/DynamicDNS especially since you can choose the location of the server and not be forced to use far away Japan servers. I will be preparing a guide in the WikI as well as a list of possible improvements that can be made to the SoftEtherVPN software itself to better support this method (such as writing scripts for automated configuration/maintenance). I'm still testing a few features and cleaning things up. Expect an article in the Wiki soon. I absolutely need people to (stress) test this so let me know if you guys are still interested. Currently I am using my Home VPN server as the "client vpn server" and a Single Core 1GB RAM VPS (Canada) as the server. So far it works well and the only major issue is latency. But that is likely caused by the server's weak specs and far distance since I'm from the New York area. |
Beta Was this translation helpful? Give feedback.
-
It was a long journey, but its complete! PLEASE test this and help me improve it |
Beta Was this translation helpful? Give feedback.
-
What I plan for testing
What I need from the SoftEther VPN Developers:
sed
andcat
to modify HAProxy if needed. traefik does have a REST API if that is the Reverse Proxy choice.The Main Issues
They will need to import both the public and private key for the SSL certificate on SoftEther in order for this to work. This may be insecure if using a Wildcard. Maybe if there was an easy way to get separate certs for each subdomain and allow the user to download their certs to import it will work. Traefik has Let's Encrypt support built in. I will try to test that out.
This is no plug and play solution like the current DynamicDNS and VPNAzure is. While the server owner needs to do most of the hard work a user will still need to
There is a possibility the service can be abused if not setup properly such as people using the service as a Free VPN. This will be a major problem for people who may want to host public services. We will need to work with the firewall and tweak as needed.
Final Notes
This will be a good solution for replacing DynamicDNS and VPNAzure if we can work it right. It will also be much easier compared to starting from scratch and since we will be using standard software such as HAProxy and Let's Encrypt it will be easier to maintain compared to a huge new project. What we will need to do is work on making a simple registration fronted and work with the APIs available to us. Also creating easy to follow documentation for possible service hosts and clients of their service will be very important.
So what do you guys say? This sound like it can work? It's easier said than done but it's our best bet as of now!
P.S.
Why doesn't the SoftEther devs ever host an open conference? I would love to talk to you guys one day. I can setup a Jitsi Meet room on the Free Software Foundation's server if you'd like.
Beta Was this translation helpful? Give feedback.
All reactions