[plug] clients "phone home" to server. VPN maybe?

Daniel Foote freefoote at gmail.com
Sat May 2 12:53:50 WST 2009


Hello.

> So from some basic reading, I THINK a VPN will do what I need.
> Essentially I need a virtual network that each machine calls into, and
> is assigned a virtual ip address on (probably static so I can identify
> each machine) the virtual network, but be able to access the virtual
> network from my server. The server is also behind a NAT, but can port
> forward from the public ip address easily.
>
> So in a basic form
> Servers Public IP Address --> Private IP address, i.e. 192.168.0.1
> Virtual Private network on Server, 10.10.10.0/24, with server virtual
> ip of 10.10.10.1
> Each client "phones" in from some random ip in the world, probably
> natted, to the servers public ip which is translated to it's private
> ip 192.168.0.1, and is connected to the virtual network 10.10.10.0/24
> and assigned an ip (i.e. like DHCP).
> >From the server, I can access each client, and all services running on
> the client, with it's virtual ip, e.g. 10.10.10.2 and 10.10.10.3 and
> 10.10.10.4
>
> Can someone inform me if a VPN will do what I want, or if there is
> another solution? All machines are running Linux, and I have full
> control of the software going on the client machines (as it's a custom
> distribution I'm building, based on Ubuntu 8.10)

>From what I can gather, I think OpenVPN will do exactly what you need.
I run an OpenVPN server for home and also I set one up for work - it's
great because it 'just works'.

OpenVPN uses a UDP or TCP connection (the latter is probably what you
want) and creates a tunnel from the client to the server, and routes
traffic over that tunnel. The OpenVPN server can handle many clients
at once, and assigns each client an IP address from a private range
you specify (kinda like DHCP but its internal to OpenVPN). By default,
clients are seperate and can't route between each other - but there
are a lot of advanced routing things you can do with OpenVPN (like
routing subnets behind clients - I've used this to bridge networks
before).

OpenVPN also uses OpenSSL for the transport, which means you use
ordinary SSL certificates to verify clients. Once you set up your own
CA (Certificate Authority) you create certs that each client has, and
they have to present that to connect, so it's passwordless, but still
secure. (OpenVPN ships with a set of scripts called 'easy-rsa' that
make setting up the CA and new clients trivial).

In your case, you'd have a central server with a DNS name, and each
remote server, you install the openvpn server, configure it, and give
each remote server it's own SSL certificate. By default, OpenVPN on
the client will start on boot and if it can't connect, it will retry
every 60 seconds until it can connect.

In the case of Ubuntu, the server and client is an apt-get away, then
copy the sample config and set it up. I'm happy to give you more
details if you'd like about my setups.

I hope this helps!

Daniel Foote.



More information about the plug mailing list