[plug] clients "phone home" to server. VPN maybe?

Daniel Pittman daniel at rimspace.net
Sat May 2 13:47:46 WST 2009 

Tim <weirdit at gmail.com> writes:

> I currently administer a server in South Africa, that "phones home"
> using autossh and (ssh)port forwarding (due to it being behind a NAT
> at the ISP so port forwarding a public ip address isn't possible).

That can't be fun.

[...]

> So from some basic reading, I THINK a VPN will do what I need.

As Daniel said, absolutely.  OpenVPN will happily, and securely, let you
connect either routed IP or bridged Ethernet between those servers and
your home.

You can also configure it to either permit, or refuse, client to client
communication through the VPN, so you can ensure isolation between those
hosts.

> Essentially I need a virtual network that each machine calls into, and
> is assigned a virtual ip address on (probably static so I can identify
> each machine) the virtual network, but be able to access the virtual
> network from my server. The server is also behind a NAT, but can port
> forward from the public ip address easily.

As long as you can forward a single UDP port, and have an easily
identified (ideally static) address for the server, all is well.

[...]

> Can someone inform me if a VPN will do what I want, or if there is
> another solution?

There are always other solutions, but OpenVPN will easily do what you
want.  An IPSEC VPN should also work, but would be more trouble and less
compatible, so I wouldn't advise it.

The architecture of OpenVPN, by the way, is:

  client ----+
             |
  client ----+-- openvpn -- your server
             |
  client ----+

Think of "openvpn" in that picture as a normal switch and you have the
right idea: your server has a link to the switch, and so do the clients,
so you can communicate between each other.

You then layer IP routing, bridging, or some other technique to link
the clients and networks on the other side of the server ... or not, if
you just want to be able to talk to them from the one machine. :)

[...]

> p.s. I am in the process of reading up on VPN's, but there seems to be
> lots of different kinds of VPN so I'm a little confused and lost

*nod*  OpenVPN is blessedly simple and is reasonably secure.  It hasn't
had a formal cryptographic review, but it has had a number of informal
reviews by experts who are, generally, happy with the design.

IPSec is hard, annoying, designed by committee, but basically secure.
It is vastly less NAT-friendly though.

Any other OSS VPN solution is ... not worth the time.  Just don't do
it.  Most of them are insecure, often through fundamental design or
implementation flaws, and sorting the wheat from the chaff is hard.


Finally, if you plan to run IP over it make *sure* your VPN is using a
lossy transport.  TCP-in-TCP is a universe of pain, and so is
PPP-in-TCP.  Just don't go there.[1]

SSH port forwarding, which just shifts the data around, is OK, of
course, but painfully limited as you note.


Finally, if you are not sure come and ask.  Better to ask too many
questions than too few when dealing with a security critical bit of
infrastructure like this.

Regards,
        Daniel

Footnotes: 
[1]  The technical details are messy, but the summary is "as soon as
     anything goes wrong the whole thing falls into an ugly heap."

More information about the plug mailing list