Editor’s note: Well this one got away from me. VPN is not a choice. While I learned a lot from the exercise, a reverse proxy seems to be the solution. I’ve also used this post to document several of the small things I learned along the way.

I have an easy way to implement a home VPN with my ProxMox server or so it would seem. PiVPN with WireGuard seems to be the go-to solution regardless of platform. I recently switched to T-Mobile Home Internet to save a few bucks a month. However, the router has no advance features such as IP reservations and port forwarding. Nor can you turn off DHCP.

To use advanced features, I connected the T-Mobile router (192.168.12.1) to the WAN port of my Asus RT-AC68U (192.168.1.1) which is a full function router. I use it for DHCP and IP reservations. This adds an extra hop (router) to access the internet that doesn’t seem to have much extra overhead. I don’t think this extra hop will interfere with port forwarding to the VPN server on the Asus router.

I’ve also read that T-Mobile Home Internet has frequent public IP address changes (Dynamic DNS). This makes it important to implement a routine to maintain the DNS entry for lynnhargrove.com and update it frequently. Since a DNS change for my IP address can take up to 48 hours to propagate from NameCheap, the lag may be too great to be effective. We’ll see.

I am going to use ddclient to update my Dynamic DNS entry. Dima’s Blog has a nice tutorial that just happens to also use NameCheap. It’s a simple routine that I will install on my Transmission VM.

Transmission is an Ubuntu 22.10 server that’s idle most of the time. However, I failed to recognize that when you install the latest version of Ubuntu, it’s only supported for nine months. The LTS version (22.04) is released every two years with five years of full support and five mor years of extended support.

Ubuntu 22.10 expired and I need to upgrade it. I’m a believer now. Its LTS from now on. To upgrade an expired version, edit /etc/apt/sources.list and change each occurance of ‘us.archive’ to ‘old-releases’. Then do an ‘update’ and ‘upgrade’. Next do a ‘do-release-upgrade’. This will disable some third party entries in sources.list. Re-enable them after the upgrade with the ‘software-properties’ tool.

When upgrading EOL releases, change ‘us.archive’ or just ‘archive’ to ‘old-releases’ in sources.list. Also, change release code name to the next code name in succession. For example, change ‘kinetic’ to ‘lunar’.

I had one interesting problem on the PiHole upgrade. I had installed it on a minimal Ubuntu server that had expired. I could not install an editor and the only thing resembling a text editor is sed. This is the command that made the upgrade possible:

sudo sed -i s/us.archive/old-releases/ /etc/apt/sources.list

I have executed “sudo apt update && sudo apt upgrade -y” so many times, I want a shell script named up.sh. I made a directory ~/bin and put this command string in ~/bin/up.sh with shebang (#!/bin/bash) on the first line and made it executable. Now I added ~/bin to my path with “export PATH=$PATH:$HOME/bin”. One more lazy step: I removed the .sh from up.sh. Everything in the ~/bin directory is a shell script anyway. Now up works!

While I’m on a lazy streak, I want to use PuTTY without entering my password. I will use SSH key-based authentication with this tutorial. It uses a private key on the client and a public key on the server. In keeping with good practices the private key should be generated on the client and not moved around.

To view the ssh log use this:

journalctl -u ssh

Add this line to /etc/ssh/sshd_config:

PubkeyAcceptedAlgorithms +ssh-rsa

Use PuTTYgen to create private and public keys and protect the private key. Copy and paste to concatenate the public key to .ssh/authorized-keys.

Expand LVM Disk on Proxmox

I ran out of space so I’m going to expand the Proxmox VM:

1. add increment by clicking device and then resize using ProxMox GUI
2. lsblk shows the device with ubuntu (sda3)
3. cfdisk should show free space, df -h shows sizes
4. cfdisk select device (/dev/sda3) then resize using all freespace (default) then write
5. vgdisplay shows space not added yet
6. pvresize /dev/sda3
7. lvdisplay to get lv path
8. lvextend -l +100%FREE /dev/ubuntu-vg/ubuntu-lv
9. lvdisplay to see new size
10 df -h shows old size
11. resize2fs /dev/mapper/ubuntu–vg-ubuntu–lv (from df -h)
12 df -h shows new size

Note: If not using LVM, simply resize with GUI then resize2fs.

This time, ‘do-release-upgrade’ worked to upgrade from Ubuntu 22.10 to 23.04. Another ‘do-release-upgrade’ upgraded to Ubuntu 23.10 which is the current release.

Why not go all the way. It’s time to upgrade Proxmox from release 7 to release 8. This is the official upgrade document. I missed two changes

Well, scratch ddclient. T-Mobile internet uses Carrier-Grade NAT (CGNAT). It allows carriers to share an IP (IPv4) address among several users. I found that my public IP address changed every few minutes between ones in Oklahoma City and Houston. LocalXpose is a reverse proxy and appears to be the best solution. Its free for 15 minutes sessions for http and https only. For $6/month, the plan removes time limits and adds udp and tcp.

LocalXpose

I’ll install LocalXpose in a new ProxMox VM (using Ubuntu 2304 LTS!). I’ll try this tutorial for the installation. I think that Chrome Remote Desktop will satisfy my need to control my local network since it uses https (port 443).

Now I have a new VM named localxpose. I used ‘snap install localxpose’ to install it. I downloaded the Linux version from Windows and transferred it to the localxpose Ubuntu VM with

OpenVPN Access Server on AWS

I am trying to install OpenVPN (/WireGuard?) on a free tier AWS server with an Amazon Marketplace free server. It appears to allow 750 hours/month. In theory I can set up a tunnel from my home network to the VPN server which will have a static IP address. I can establish a tunnel to the VPN server and thus have remote access to my home network. Sounds good!

One solution involves connecting to a PFSense router I assume with a VPN client installed. I wonder if a local copy of an OpenVPN/WIreGuard server would work.