[Server-devel] [support-gang] Value of remote access to School Servers.

Wed Jul 3 05:38:01 EDT 2013

The central openvpn server would be configured to pass out local
(unroutable in the wider internet) addresses in the 10.0.0.0/8 subnet to
each client.

There would be one public/private key pair distributed with the XSCE
software distribution, for testing. The server would be configured to
accept multiple conections from the same key pair. Effectively this would
create a "party line', where everyone who had access to the key pair, would
have access to the "party line".  Then they would be able to ping all the
other XSCE servers, on the local 10.0.0.0/8 virtual private network (which
is worldwide) -- assuming that the firewalls were set to enable ping
responses. And they could log into any servers on that party line, for
which they had ssh authentication credentials.

Then, most likely with passwords turned off, deployments could use
public/private key pairs they generate themselves to access their own
servers.

For an additional level of security, deployments could contact
activitycentral to get their own public/private key pairs, one for each
machine, and a config file which connects to different ports, openvpn
instances, virtual box instances, or whole physical machines.

At the extreme, a deployment could have it's own virtual private network,
protected by key pairs known only to itself, on it's own machine, running
under lock and key, in its own back room, and then ssh (password or key
pair) connection to each of its machines.

George
George

On Wed, Jul 3, 2013 at 4:36 AM, Anish Mangal <anish at activitycentral.com>wrote:

>
>
> On Wed, Jul 3, 2013 at 1:54 PM, James Cameron <quozl at laptop.org> wrote:
>
>> On Wed, Jul 03, 2013 at 12:45:35PM +0530, Anish Mangal wrote:
>> > James wrote:
>> > > Would the person accessing their XSCE remotely then establish
>> > > another tunnel to your OpenVPN server, or would your server do
>> > > inbound connection forwarding?
>> >
>> > Hmm. I'm not so clear on that. I can give the example of a setup in
>> > Bhagmalpur (a pilot we recently did).
>> >
>> > 1. There is an openVPN server hosted by Sameer.
>> > 2. The XSCE when connected to the internet dials into this open vpn
>> >    server.
>>
>> Thanks, I understand the first two steps, and they sound good.
>>
>> > 3. I can login to the XSCE through the openVPN connection through
>> >    ssh and administer remotely.
>>
>> How is this last step achieved?  There's much flexibility, so I'm
>> curious.  I imagine one of three methods:
>>
>> a.  does the user first SSH into an account on the OpenVPN server and
>> then SSH again to the XSCE, or;
>>
>> b.  does the user SSH to a particular port on the OpenVPN server that
>> is automatically forwarded to the XSCE, or;
>>
>> c.  does the XSCE have a routable IP address, courtesy of the OpenVPN
>> server, to which SSH is directed?
>>
>>
> I'm not sure... let me explain (perhaps Sameer or Santi can chime in)...
>
> I have a set of openVPN keys on may laptop through which I connect to the
> openVPN server automatically (and a network called tun0 is created)
>
> I know the IP address of the XSCE in Bpur
>
> So, from my laptop, I just do ssh root@<ip address of XSCE on the openVPN
> network>
>
> Does it make things any clearer?
>
>
>> --
>> James Cameron
>> http://quozl.linux.org.au/
>>
>
>
> _______________________________________________
> support-gang mailing list
> support-gang at lists.laptop.org
> http://lists.laptop.org/listinfo/support-gang
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.laptop.org/pipermail/server-devel/attachments/20130703/aebd7d6c/attachment-0001.html>