How to use VPN with dynamic IP?

Some of you might want to use VPN Service with networks where routers has dynamically applied IP addresses periodically changed by the telecom company.

There are several options available depending on use case. Here we will review few cases we stumble upon while working with our VPN solution.

Auto-Discovery

This feature use vpn.greenscreens.io service as a mediator where VPN Service will register itself and VPN Client will use to detect VPN Service IP address. This is the easiest approach in combination with token only based protection.

Discovery mechanizm is quite safe as all requests are digitally signed by our application generated token and user provided token. Chances that someone take over and modify request is virtually impossible.

However, network encryption is safe as token is safe.  For increased security, we implemented TLS and digital certificates with full client authorization suport which brings new set of challenges related to how this technology works.

TLS / Certificate Challenge

Previous case will work in most of the cases except if TLS with certificates are used. When certificates are used, server certificate has to be properly configured as server IP address or domain name will be validated by the TLS engine. If there is no match, connection will be terminated.

That creates a problem with dynamic IP's as if address changes, certificate has to be changed with updated IP which is not quite the best way to do it.

Preparation

To solve a problem, first we need to know how to configure server certificate. There are two ways to do it.

  • use certificate CommonName as a server domain name
  • use certificate with SNI, SubjectAlternativeName which is a list of server virtual names

If possible, use later option as multiple names can be defined allowing single certificate to be used for multiple servers. Also, VPN Service and Client are developed to use SNI.

We created a simple, free and useful tool to generate certificates one can use to prepare TLS certs for our VPN Service. Find more here...  

Now, when we finally get our server certificate, let's see which solutions we might apply to get support for dynamic IP's.

Solution 1

Use DDNS (dynamic DNS service). Many routers today have an implemented support for DDNS. Registering virtual name to your router will enable router visibility from the Internet on this virtual name as name will be updated by the router every time IP changes.

Creating SNI based server certificates with registered virtual name in such case will always be valid regardless of IP address.

This is important as target parameter in VPN Client can be set to the virtual name instead of IP address. The same name will be used in certificate validation.

Solution 2

Second option is also related to SNI certificate specification.  VPN Client has an option to specify virtual name without router being registered to DDNS. Actually, solution is exactly the same as previous one, except virtual name does not have to be registered anywhere.

Instead, set Virtual name in certificate SubjectAlternativeNames list (domains list), and use "sni" parameter inside config.client file. Set it to the same name.

This might be easier option which allows to use IP address as a target with virtual names not registerd to DNS. Security is still good as our VPN solution requires full certificate chain validation.

Unregistered DNS names can be used for both, static and dynamic IP's where later requires auto-discovery enabled on VPN Service and VPN Client.

Final word

Our VPN solution is quite safe when TLS is used, as it requires full certificate chain validation. That means all certs must be set on boths sides of the VPN tunnel for VPN software to be able to validate remote certificate validity.

We hope, this short blog post gives enough information to get you started with IBM i running behind dynamic IP routers.

Keep watching our channels for future news and updates.