Mother ship

Sometimes it becomes difficult to access remote servers that are sitting in obscure closets behind a layer or two of NAT. No telling what the IP lay-of-the-land will be like. We have a similar situation with our deployments. The schools have a XS school server, but these are typically hanging off a DSL modem, behind a NAT with a typical address of 192.168.1.0/24. Yet, we'd like to be able to get to the school server every once in a while, run some maintenance scripts, and gather some data for analysis. What we need is a tunnel that keeps looking for a way out to a known IP address - a mother ship, if you will - and set up a secure way to be accessible.

I've been looking into OpenVPN for such a solution for some time now. It is a SSL-based VPN system. It relies on the OpenSSL package for all its crypto, and uses either certificates or pre-shared secrets to run crypto tunnels across two or more machines. In the p2p mode it simply sets up a tunnel between the two machines. You can however also use it in a server mode to run a hub-like server and hang a bunch of tunnels off of it, all ending in different clients. The Linux binary for OpenVPN is the same for both client and server. What varies is the configuration. apt-get install openvpn or yum install openvpn usually does it.

The current setup is in test mode at one of the schools. We've run into some power issues (as in power cuts every day?) but a Uninterrupted Power Supply and a change in the BIOS setting to boot the server upon power-up should fix those in the short run. The tunnel is actually quite robust and will come back up every time the connection is back up and running. No pesky Cisco VPN shenanigans either!

Comments

IPv6

Assuming the crypto isn't actually useful to you, IPv6 tunnels are an excellent way of dealing with this.  (For example, an AYIYA tunnel from sixxs.net.)

Stuff of the Borg...

Sameer, this sounds like Borg stuff from Star Trek NextGen... who would've thought we would need all of this hi-tech just to get a bunch of kids to use some laptops. Seriously, as we continue to incrementally build this infrastructural, technical and social support architecture for our Pilots, there are many lessons to be learned that will be worth writing about at some point.