[plug] clients "phone home" to server. VPN maybe?
Daniel Pittman
daniel at rimspace.net
Sun May 3 08:55:57 WST 2009
Tim <weirdit at gmail.com> writes:
>>> Now the simplest thing I can think of, is include a default
>>> certificate/key for the client machines on there, and once they are
>>> connected and identified to the VPN, then ssh them a client specific
>>> certificate/key.
>>
>> That, also, would work. A "bootstrap" VPN connection would be fine,
>> provided you didn't keep using it.
>>
>> I would probably deploy it as a separate "shared key" OpenVPN service
>> with much, much tighter security wrapped around it, however.
>
> What do you mean by "shared key" OpenVPN?? Is there another mode of
> running it?
*nod* You can use a pre-shared secret key rather than a PKI system.
Don't do it for production, but for bootstrapping it could be sufficient
to get it moving forward.
> I'm currently running my server with the option to allow duplicate
> keys, so will see how that goes. Will most likely have the clients use
> the shipped key, and then ssh the client specific key at a later date
> to them.
As mentioned, I would establish the bootstrap connection to another VPN
service that could be limited to *only* allow you to ssh in and deliver
the specific key, then activate the "production" VPN service.
> <snip>
>
>>> So, do I attempt UDP with TCP fallback? Or just use TCP?
>>
>> The first, if you want to be robust for an unattended remote system.
>
> Any ideas on setting up fallback? I know I can run the server with
> both on the same port. What about the clients? How can I make that
> fallback nicely?
Off the top of my head, no. I always just deployed UDP which worked
fine, sorry.
Regards,
Daniel
More information about the plug
mailing list