SoHo VPN providers and rDNS, etc -- recommendations?

Fri May 12 16:52:29 PDT 2023

> On May 12, 2023, at 12:25 PM, Mark Thurston <mark at mdvthu.com> wrote:
> 
>> I've got a simple question.  I'm in the US, and I'm looking for a VPN provider that uses IPsec and can provide an rDNS record for my public IPv4 pointing back to my domain.  I've asked several VPN providers and they don't seem to understand what I'm asking (NordVPN, ProtonVPN, NordLayer, etc).  Maybe I'm just asking wrong.
>> 
>> How do you make SPF, DKIM, and X.509 TLS certificates with DNS: SNI's work without this?
>> 
>> The other thing that would be handy is if they also provided DNS hosting for customer domains (so I could drop GoDaddy which I'm sick of).
>> 
>> You'd think they'd offer both for one-stop-shopping but I can't seem to locate any.  Does anyone use Amazon for this for a single or a couple of IPv4's?  What's been your experience?
>> 
>> Any others that people are happy with?
>> 
> 
> I'm not sure a VPN service aimed at the average punter will provide this.
> 
> I would suggest an entry-level VM on a cloud-provider (Linode's "nanode" $5pm, for example). Then you can then choose your DNS nameserver allowing you to configure your DNS yourself including all the extras that you need.

I think you misunderstand what I'm saying: I don't want to host DNS, I want the provider to do that.  I would edit my zonefiles
locally and upload them via "nsupdate" (with authentication, of course) to the primary.

I'd also need them to be the registrar for my domain.

> Re VPNs, if you have the option and need speed, I would go with WireGuard rather than IPSec. From a purely trying-to-keep-it-on-topic point of view, the improved resource use of WireGuard will allow you to use a low-powered embedded OpenWrt device at the other end of the VPN.

I need it to be IPsec, and I'm one of the StrongSwan maintainers, so I have to dogfood.

> The linuxserver.io wireguard Docker image (https://docs.linuxserver.io/images/docker-wireguard) is excellent for fast deployment of wireguard on off the shelf VMs.

I don't need a dedicated server... I'm limited to less than 400mb/s so sharing a server is fine, as long as I get a dedicated address for my tunnel.