[Server-devel] [support-gang] Value of remote access to School Servers.

Anish Mangal anish at activitycentral.com
Wed Jul 3 05:22:17 EDT 2013 

On Wed, Jul 3, 2013 at 2:40 PM, James Cameron <quozl at laptop.org> wrote:

> On Wed, Jul 03, 2013 at 02:06:04PM +0530, Anish Mangal wrote:
> >
> >
> > On Wed, Jul 3, 2013 at 1:54 PM, James Cameron <quozl at laptop.org> wrote:
> >
> >     On Wed, Jul 03, 2013 at 12:45:35PM +0530, Anish Mangal wrote:
> >     > James wrote:
> >     > > Would the person accessing their XSCE remotely then establish
> >     > > another tunnel to your OpenVPN server, or would your server do
> >     > > inbound connection forwarding?
> >     >
> >     > Hmm. I'm not so clear on that. I can give the example of a setup in
> >     > Bhagmalpur (a pilot we recently did).
> >     >
> >     > 1. There is an openVPN server hosted by Sameer.
> >     > 2. The XSCE when connected to the internet dials into this open vpn
> >     >    server.
> >
> >     Thanks, I understand the first two steps, and they sound good.
> >
> >     > 3. I can login to the XSCE through the openVPN connection through
> >     >    ssh and administer remotely.
> >
> >     How is this last step achieved?  There's much flexibility, so I'm
> >     curious.  I imagine one of three methods:
> >
> >     a.  does the user first SSH into an account on the OpenVPN server and
> >     then SSH again to the XSCE, or;
> >
> >     b.  does the user SSH to a particular port on the OpenVPN server that
> >     is automatically forwarded to the XSCE, or;
> >
> >     c.  does the XSCE have a routable IP address, courtesy of the OpenVPN
> >     server, to which SSH is directed?
> >
> >
> >
> > I'm not sure... let me explain (perhaps Sameer or Santi can chime in)...
> >
> > I have a set of openVPN keys on may laptop through which I connect to the
> > openVPN server automatically (and a network called tun0 is created)
> >
> > I know the IP address of the XSCE in Bpur
> >
> > So, from my laptop, I just do ssh root@<ip address of XSCE on the
> openVPN
> > network>
> >
> > Does it make things any clearer?
>
> Yes, this would be a case "d", where both the client (your laptop) and
> the server (the XSCE) have an unroutable address on a network that is
> unreachable except through OpenVPN.
>
> By unroutable I mean one that cannot be reached from the public
> network.
>
> This is a good choice, because:
>
> - it allows the server hosting the OpenVPN to avoid dealing with
>   traffic unrelated to the task of remote access,
>
> - it allows the administrator of the OpenVPN server to set up packet
>   filtering rules to permit specific individuals to access specific
>   XSCEs,
>
> - it prevents access to either party from the public network.
>
>
So, I guess this is a good setup to run with.


> Now that you have remote XSCE settled, have you considered remote XO
> access for hardware diagnosis and maintenance?  Write up of that
> feature is here:
>
> http://wiki.laptop.org/go/Firmware/Remote
>
>
Hmm, Haven't really put a lot of thought to it so welcome to inputs :-)

You gave one example use case. Perhaps if you could explain if this would
be required in everyday usage or emergency scenarios. The reason I'm asking
is because we're designing an architecture where:

* The XSCE is supposed to stay on for major times of day, if not 24x7.
* Internet connectivity to the XSCE is going to be flakey.
* If a remote XO is to be 'repaired', there has to be communication to make
sure that the specific XO is turned on, the XSCE is connected to the
internet, and an administrator has access to it through openVPN. It seems
like many elements have to be in place for this to happen reliably. (would
be happy to be proved wrong though).

Do you think there could be alternate approaches. For example, in Dextrose
builds, we have an automatic yum-based updater. There is a local repo on
the XSCE, which the clients regularly check for package updates, and
install automatically. This works quite reliably in environments with
flakey internet. One just has to copy the new package on the xsce, and
everything else from then on is local (and pretty reliable).


> A relay using socat could be run on the XSCE for this purpose, and so
> a user of the OpenVPN service could reach an XO (or another XSCE) to
> analyse or fix non-booting scenarios.
>
> I know you already have the capability to deploy puppet for XO remote
> administration ... if the Linux kernel is running.
>
> --
> James Cameron
> http://quozl.linux.org.au/
>

--
Anish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.laptop.org/pipermail/server-devel/attachments/20130703/aa47c9e8/attachment.html>

More information about the Server-devel mailing list