IKEv{1,2} + IPsec (tunnel mode) is recommended. strongSwan is probably the best free, open source IPsec solution out there (much better than libreswan...), very good documentation and examples etc, actively developed and maintained by a bunch of passionate guys that knows the stuff.
Our company (pre-IPO startup) has been using strongSwan for 2+ years as site-to-site solution from on-premises data centres to AWS VPC, proved to be rock solid as long as it's properly configured ;-) The only drawback is that strongSwan currently does not have a mature HA solution but it's shaping up (5.4.0 introduced IKEv2 redirect). Hopefully a proper HA solution will be built on top of that and later productized ;-)
BTW: I myself have been using strongSwan since 5.0.x for remote access, to protect privacy, fight censorship (yes, originally from China mainland where GFW is in place, etc...). The native strongSwan client for Android is a killer ;-)
Probably a silly question but what will I do with this?
I have a personal DO OpenVPN proxy setup because my country (Pakistan) censors internet, which I made following the DO guide [1]. I set it up a while ago, and it was mostly copying commands.
Will this allow me to use Tunnelblink and use my VPN as a proxy? Will it let me connect my machines to each other a VPN? What's the motivation for a setup like this.
Only traffic destined to the subnet in encryption domain go through the VPN connection (you can check IP routing table and identify that - interface should be tun0 or equivalent).
In case of OpenVPN remote access use case, you may have to route all traffic through the VPN connection (TunnelBlick has an option for you to tick, or you'll have to generate a new client config file), you also need proper NAT rules in place on the OpenVPN server.
To achieve what you want, blocked sites over VPN and unblocked via your ISP, extra effort may be needed, e.g. by poking around routing table and/or using dnsmasq.
The open VPN container is amazing. Definitely worth a look. If you commands and you'll get service plus an auto-login profile that is about as easy to use as possible.
It doesn't need to be CoreOS, it can be any docker host.
My experience with openvpn is abysmal. It is slow, tunnels tcp-over-tcp the wrong way[0], tunnels udp-over-tcp the wrong way, and the connections were quite fargile.
Does anyone have alternatives to recommend? SoftEther looks like the bees knees from the website, but I haven't found trustworthy reviews from real users.
I made a project like this as well, but with Ansible. I submitted a separate post for that but won't link it here out of courtesy. https://github.com/robbintt/popup-openvpn
Do anyone know about a good user friendly OpenVPN client for Windows? The official one requires a lot of fiddling with administrator permissions to work, which most non tech people have no chance to do successfully.
I run a pfsense router for fun at my house and it has a really nice UI/wizard for OpenVPN. Even got it hooked up with AD login + certificates without much trouble.
Having a GUI can make playing with it really fun and easy. I spent yesterday toggling through all the different encryption methods to see how they effected mobile performance (turns out: it effects it a LOT. Don't encrypt stronger than necessary!)
I've been using pivpn[0] for about a year now (first on a raspi, and now on ubuntu 16.04 server). Wraps all the basic commands like client cert gen and revocation. Many sensible defaults.
by only looking at the source (haven't installed it) I'm guessing this leaks ipv6 addresses and probably shouldn't be used. this is the second openvpn install script to match that description today.
In the past, I've had a habit of passing "ipv6.disable=1" (a.k.a. the "nuclear option") to the kernel on hosts I manage. I'm trying to get away from that, though, and lately, I've simply been dropping "everything IPv6" in my rulesets to avoid things like this.
However, for EC2 Linux instances you'll need to enable IP forwarding by disabling Source/Destination Check for the instance in addition to setting net.ipv4.ip_forward=1 for the VM.
Also EC2 uses layered security, so you may have OS level packet filter, then NACLs (if used - stateless), finally Security Groups (stateful).
SSH Tunnel - Dynamic (port) Forwarding works, it can even be shared by IPs within the same network (ssh -g on clients / GatewayPorts yes on sshd) but it requires per application configuration (set as SOCKS5 proxy, Firefox requires extra configuration to use remote host to do dns lookups by setting -> network.proxy.socks_remote_dns yes).
In countries like China (and more) where massive state-sponsored Internet censorship is in place, the unusual SSH traffic pattern can be easily detected and IPs of the SSH server blocked in less than a hour. That's why IPsec (strongSwan) and OpenVPN start to become popular among Chinese netizens and skills have been developed (networking, security etc...) LoL
IKEv{1,2} + IPsec (tunnel mode) is recommended. strongSwan is probably the best free, open source IPsec solution out there (much better than libreswan...), very good documentation and examples etc, actively developed and maintained by a bunch of passionate guys that knows the stuff.
Our company (pre-IPO startup) has been using strongSwan for 2+ years as site-to-site solution from on-premises data centres to AWS VPC, proved to be rock solid as long as it's properly configured ;-) The only drawback is that strongSwan currently does not have a mature HA solution but it's shaping up (5.4.0 introduced IKEv2 redirect). Hopefully a proper HA solution will be built on top of that and later productized ;-)
BTW: I myself have been using strongSwan since 5.0.x for remote access, to protect privacy, fight censorship (yes, originally from China mainland where GFW is in place, etc...). The native strongSwan client for Android is a killer ;-)
HTH