I live in a country where wireguard, openvpn and other vpn protocols have been blocked. Tailscale and Cloudflare Tunnels don’t wok either. I do have a public ip and my router supports DMZ and port forwarding. For security concerns I’m not willing to forward ports. Is there any other method to use my VPS to forward traffic to my home server?

    • mFat@lemdro.idOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      That used to work but it doesn’t anymore. Openvpn over cloak still works apparently. I’ll give it a try.

  • Max-P@lemmy.max-p.me
    link
    fedilink
    English
    arrow-up
    9
    ·
    1 year ago

    I’m surprised they block WireGuard, especially with a preshared key. That makes it essentially pure randomness over UDP. I’d assume they block popular VPN providers and tunneling services which makes it easier to block by blocking the setup process which is usually just HTTPS.

    Have you tried a basic plain WireGuard between your home and your VPS, with a preshared key and using some other protocol’s port? Maybe like UDP on port 443 so it looks like QUIC?

      • Max-P@lemmy.max-p.me
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        Quick glance at the script shows it does randomize the port (but in the upper end of the space), but does not do preshared keys.

        The PSK can hide the protocol better by not looking like a key handshake. Although I’m not sure ISPs have quite reached that level yet.

        If you’re in China, there’s been some recent research showing that they block things that looks encrypted based on the entropy of the bits in a packet. I couldn’t find the bypass software anymore but that might help you as well.

        If you’re not in China something like the XRay/v2ray proxy or shadowsocks might help as well.

        Although honestly, port forwarding with a firewall only allowing your VPS IP should honestly be fairly sufficient security-wise. You could also try inverting the WireGuard connection and have the VPS connect to your home through port forwarding, traffic analysis is usually on egress not ingress.

    • lvl@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Wireguard is not meant to bypass detection of any kind of Deep Packet Inspection technology. It’s also stated by the project website, under the Known Limitations sections.

      https://www.wireguard.com/known-limitations/

      There are many characteristics (except the handshake) which can make it stand out as a P2P or VPN(-ish) traffic, and then get blocked.

  • cerothem@lemmy.ca
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    1 year ago

    Might I suggest Fast Reverse Proxy ( https://github.com/fatedier/frp )

    It’s a great solution if you don’t have a public IP or can’t/don’t want to open any ports.

    I found it super easy to setup and configure. I put caddy in front of the server side for mine to ssl offload there. But you could also route everything down the tunnel it makes and use a local reverse proxy to handle SSL offloading

  • zikk_transport2@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    Some time ago I’ve done a “public IP implementation” on my VPS when I was on mobile network (no public IP).

    Basically set up IPSec/Wireguard on VPS and connect your router to it. Then setup EoIP over VPN between VPS and your router. Then add EoIP tunnel to your LAN’s bridge in your router.

    Then setup all ports forwarding (using iptables) from your VPS to your router on LAN, so if you connect to your VPS using tcp80, it will be simply forwarded (NAT’ed) to your router. Except tcp22, for SSH to your VPS obviously…

    And now you have yet another public IP lol.

    This is not something you asked, but might give you some ideas.

    • humanreader@infosec.pub
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      So that setup effectively gives you an all-ports available connection (except 22) from your mobile device and anything that connects through it, like a laptop? The exit node would be the VPS.

      Could I skip the home router and EoIP+VPN directly between mobile and VPS, for instance?

      I am in a situation (restrictive firewall on ethernet/wifi, prefer personal mobile connection but it’s cgnat or something equally crap) this could be very useful for me.

      • zikk_transport2@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Technically like this:

        Anyone -tcp80-> vps -tcp80-> router -tcp80-> homeserver.

        Exit of homeserver-originated traffic would be your router, not vps. Unless you specify custom routes in your router, then yeah, might be possible.

        Also you don’t need EoIP tunnel at all, since it’s all in Layer4.

  • Catsrules@lemmy.ml
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    What is your ultimate goal? Are you trying to host stuff from your home though the VPS? Or are you trying to use the VPS as an internet connection? Or something else.

    I would follow the other comments first try OpenVPN over 80 or 443 or SSL.

    If your just interested is using the VPS’s internet at home you could look at a hosting an internet proxy from the VPS. I think that would be all HTTPs traffic so it would just look like normal web traffic to the outside world and be hard to detect. Although it would limit your traffic to just HTTP traffic.

    If your just trying to access your network remotely though the VPS. Depending on what kind of access you need. You could look at something like hosting Meshcentral on your VPS. It is mostly for remote controlling computers so you could access your network via a local computer or you could look at a feature called meshcentral router.

    You can install that on a laptop and then used that to remote port to a local port on your laptop.

    • mFat@lemdro.idOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      My goal is to be able to access local services running in a NUC at home. Currently it’s Jellyfin and i plan to set up Immich too for backing up photos.

      I currently use Xray/Shadowsocks on the same vos to bypass the censorship, but they are proxies not VPNs.

      Never heard of meshcentral‌, will have a look at documentation. Thanks.

  • Rearsays@lemmy.ml
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 year ago

    Try harder.

    But no actually try a different vpn on a port like https or something up like a Skype call port

    • mFat@lemdro.idOP
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      It’s not about port numbers anymore. Their firewall even blocks normal https traffic when huge amount of data is being sent/received. They are getting smarter at guessing if the traffic is normal or it’s a vpn.

      • Rearsays@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        So they’re scanning destinations. If they look like a vpn then they squash you. Very ccp of them

      • Rearsays@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I have no idea how to set it up but you’re looking for is v2ray and shadow socks

        • mFat@lemdro.idOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          They are what I use but they’re proxies not VPNs. Not sure they work for tunneling traffic from vps to home.

  • drdaeman@lemmy.zhukov.al
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    SSH is an obvious thing to try, but I suppose it may get cut off by the same DPI.

    Possibly, ShadowSocks or obfs4proxy might be of some help? E.g. you can wrap Wireguard traffic in ShadowSocks (AFAIK it supports UDP).

  • ColdCreasent@lemmy.ca
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    If you live in a country with the regular vpn protocols being blocked, you will need to be more specific with a vpn that obfuscates the network connection. Something like Astril or expressvpn will both have tunnel obfuscation. At that point it’s less about hiding your activity, and more about gaining access to other sites because I wouldn’t vouch for the privacy on those two vpns.

    • mFat@lemdro.idOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      ExpressVPN used to work but it got blocked too. I need a personal VPN solution to host on my own server. Currently we use Xray/V2ray to access restricted websites but they’re proxies, not proper VPNs.

      • godless@latte.isnot.coffee
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Express has been shit since forever.

        I’m assuming you’re in China? Astrill is using a proprietary vpn protocol and hardly ever has downtimes (use the stealth mode or install it on the router directly).

      • ColdCreasent@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        As godless has stated, and I was also using astril when I was in China. For a personal option, I am not aware of a personal vpn that also includes obfuscation and is not using blocked vpn technologies/techniques.

  • Pol@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    13
    ·
    1 year ago

    Using OpenVPN will force you to open ports and do NAT on your local network.

    I would suggest to install Tailscale… And you will never use anything else.

    Lot me know how it goes!