Some of you might want to use VPN Service with networks where routers have dynamically applied IP addresses periodically changed by the telecom company.
There are several options available depending on use case. Here we will review few cases we stumble upon while working with our VPN solution.
Auto-Discovery
This feature use vpn.greenscreens.io service as a mediator where VPN Service will register itself and VPN Client will use to detect VPN Service IP address. This is the easiest approach in combination with token only based protection.
Discovery mechanism is quite safe as all requests are digitally signed by our application generated token and user provided token. Chances that someone take over and modify request is virtually impossible.
However, network encryption is safe as token is safe. For increased security, we implemented TLS and digital certificates with full client authorization support which brings new set of challenges related to how this technology works.
TLS / Certificate Challenge
The Previous case will work in most of the cases, except if TLS with certificates are used. When certificates are used, the server certificate has to be properly configured as server IP address or domain name will be validated by the TLS engine. If there is no match, the connection will be terminated.
That creates a problem with dynamic IP's as if the address changes, the certificate has to be changed with the updated IP which is not quite the best way to do it.
Preparation
To solve a problem, first we need to know how to configure a server certificate. There are two ways to do it.
- use certificate CommonName as a server domain name
- use certificate with SNI, SubjectAlternativeName which is a list of server virtual names
If possible, use the later option as multiple names can be defined, allowing a single certificate to be used for multiple servers. Also, VPN Service and Client are developed to use SNI.
We created a simple, free and useful tool to generate certificates one can use to prepare TLS certs for our VPN Service. Find more here...
Now, when we finally get our server certificate, let's see which solutions we might apply to get support for dynamic IP's.
Solution 1
Use DDNS (dynamic DNS service). Many routers today have an implemented support for DDNS. Registering a virtual name to your router will enable router visibility from the Internet on this virtual name, as the name will be updated by the router every time IP changes.
Creating SNI based server certificates with registered virtual name in such case will always be valid regardless of IP address.
This is important as the target parameter in VPN Client can be set to the virtual name instead of IP address. The same name will be used in certificate validation.
Solution 2
The second option is also related to SNI certificate specification. VPN Client has an option to specify virtual name without router being registered to DDNS. Actually, the solution is exactly the same as the previous one, except the virtual name does not have to be registered anywhere.
Instead, set Virtual name in certificate SubjectAlternativeNames list (domains list), and use "sni" parameter inside config.client file. Set it to the same name.
This might be an easier option which allows using IP address as a target with virtual names not registered to DNS. Security is still good as our VPN solution requires full certificate chain validation.
Unregistered DNS names can be used for both, static and dynamic IP's, where later requires auto-discovery enabled on VPN Service and VPN Client.
Final word
Our VPN solution is quite safe when TLS is used, as it requires full certificate chain validation. That means all certs must be set on both sides of the VPN tunnel for VPN software to be able to validate remote certificate validity.
We hope, this short blog post gives enough information to get you started with IBM i running behind dynamic IP routers.
Keep watching our channels for future news and updates.