[Server-devel] [support-gang] Value of remote access to School Servers.

Sameer Verma sverma at sfsu.edu
Wed Jul 3 15:10:42 EDT 2013

On Wed, Jul 3, 2013 at 2:10 AM, James Cameron <quozl at laptop.org> wrote:
> On Wed, Jul 03, 2013 at 02:06:04PM +0530, Anish Mangal wrote:
>> On Wed, Jul 3, 2013 at 1:54 PM, James Cameron <quozl at laptop.org> wrote:
>>     On Wed, Jul 03, 2013 at 12:45:35PM +0530, Anish Mangal wrote:
>>     > James wrote:
>>     > > Would the person accessing their XSCE remotely then establish
>>     > > another tunnel to your OpenVPN server, or would your server do
>>     > > inbound connection forwarding?
>>     >
>>     > Hmm. I'm not so clear on that. I can give the example of a setup in
>>     > Bhagmalpur (a pilot we recently did).
>>     >
>>     > 1. There is an openVPN server hosted by Sameer.
>>     > 2. The XSCE when connected to the internet dials into this open vpn
>>     >    server.
>>     Thanks, I understand the first two steps, and they sound good.
>>     > 3. I can login to the XSCE through the openVPN connection through
>>     >    ssh and administer remotely.
>>     How is this last step achieved?  There's much flexibility, so I'm
>>     curious.  I imagine one of three methods:
>>     a.  does the user first SSH into an account on the OpenVPN server and
>>     then SSH again to the XSCE, or;
>>     b.  does the user SSH to a particular port on the OpenVPN server that
>>     is automatically forwarded to the XSCE, or;
>>     c.  does the XSCE have a routable IP address, courtesy of the OpenVPN
>>     server, to which SSH is directed?
>> I'm not sure... let me explain (perhaps Sameer or Santi can chime in)...
>> I have a set of openVPN keys on may laptop through which I connect to the
>> openVPN server automatically (and a network called tun0 is created)
>> I know the IP address of the XSCE in Bpur
>> So, from my laptop, I just do ssh root@<ip address of XSCE on the openVPN
>> network>
>> Does it make things any clearer?
> Yes, this would be a case "d", where both the client (your laptop) and
> the server (the XSCE) have an unroutable address on a network that is
> unreachable except through OpenVPN.

True. Both "clients" get a private IP within the same subnet.

> By unroutable I mean one that cannot be reached from the public
> network.

True. In many cases, ISPs use private dynamic IPs, so getting to the
server becomes difficult.

> This is a good choice, because:
> - it allows the server hosting the OpenVPN to avoid dealing with
>   traffic unrelated to the task of remote access,
> - it allows the administrator of the OpenVPN server to set up packet
>   filtering rules to permit specific individuals to access specific
>   XSCEs,

Yes, there are several ways to segment out the traffic using packet
filtering on the server itself. The OpenVPN server acts like a hub
initially, but because of the layer 3 packet filtering, it can then
effective behave like a vLAN switch (although switching is a L2 tech).

> - it prevents access to either party from the public network.


> Now that you have remote XSCE settled, have you considered remote XO
> access for hardware diagnosis and maintenance?  Write up of that
> feature is here:
> http://wiki.laptop.org/go/Firmware/Remote
> A relay using socat could be run on the XSCE for this purpose, and so
> a user of the OpenVPN service could reach an XO (or another XSCE) to
> analyse or fix non-booting scenarios.
> I know you already have the capability to deploy puppet for XO remote
> administration ... if the Linux kernel is running.
> --
> James Cameron
> http://quozl.linux.org.au/

Sameer Verma, Ph.D.
Professor, Information Systems
San Francisco State University

More information about the Server-devel mailing list