VPN deployment on software appliances

Posted on

VPN deployment on software appliances – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, vpn, deployment, openvpn, .

I’m working on a software appliance based on linux platform. I want to have a secured way of reaching every installed appliance over the Internet for remote debugging and support.
In order to traverse NAT and to be able to simply connect to the appliance I was thinking about OpenVPN as a solution.
Problem is that I can’t ship a single certificate with the appliance image and have all everyone connected with it since openvpn will not allow more than one session per certificate.

Another issue is isolation between the VPN clients so that one client won’t be able to connect to the other. how can that be achieved.
Thanks

Solution :

You can generate the OpenVPN client certs on building the image if the server is configured with –duplicate-cn. Then you have networking to the appliances and can get a new certificate signed with a real ca or whatever you want to do… it’s probably not a great idea to keep running with a defaulted certificate on every appliance.

The Miredo idea is orthogonal… that may very likely help you get connected in the first place, since Miredo can get through many NATs that OpenVPN can’t.

Are you certain you really want the appliance to open up for you unconditionally? Shouldn’t that be some easily accessible function during first boot? When the user/customer wants to have the support channel, the certificate could be emailed, encrypted with your public key (so only your secret key can decrypt and save it to the vpn server).

At your end it should be easy to match these emails and process them automatically.

try Miredo to give every appliance a globaly routable IPv6 number. Add a dynamic DNS, or your own registration database, and you’re good to go.

but on second thought, it might be easier to just generate the client certificates for OpenVPN on first run.

Leave a Reply

Your email address will not be published.