Ideas for Remote Access

[TerryJC]

How would opening a port on the router for a VPN be more secure than just opening ports for SSH access to the Pis?

As I said, I'm not an expert and I'm waiting for Paul to respond. However, AIUI, when you open a port on the Router you do so to one specific IP Address. So if we were to install OpenVPN on the Webserver Pi, we open a port on the Router to allow access to that Pi and any external traffic is routed to that Pi and to no other devices. The VPN Server (created by OpenVPN) then allows traffic to the other devices on the internal network, eg to all the other Pis, but not to the computers on the Office network.

If we wanted to get SSH access without using a VPN server, we would either have to open up the Router completely (I'm not sure you can even do that) or open a port to the Webserver Pi and then have the firewall in the Webserver Pi open ports to all the other Pis.

[PatrickW]

Connecting directly to each Pi would require two sets of port forwarding to be maintained (one set on each NAT gateway device) and non-standard ports would have to be used. Then, SSH logins would involve specifying the port number. Seems messy to me.

The Pis would also need more secure authentication. I get at least a dozen unauthorised SSH login attempts every day, just from exposing an SSH server to the internet. Presumably the bots are just dipping their toes in to test the water and they would make more attempts if they found I was accepting password authentication. The most common username they try to log in with is "admin" (8% of attempts), closely followed by "pi" (5.9%). No doubt VPN servers face a similar barrage.

I think using a VPN is a much cleaner arrangement. You make one connection through one port to the VPN server, and then you can connect to individual Pi IP addresses, because you're now on the same network as they are. Less to remember, less to configure, fewer opportunities to forget to secure something critical.

SSH can be used as a "poor man's VPN". One (gateway) host has its SSH server exposed to the internet. Provided that the SSH server configuration permits it, it is then possible to use a SSH connection into the gateway host to instruct the gateway to temporarily forward a port on your local machine to a specific host at its end of the connection. This creates a tunnel from your machine, through the SSH connection, to the remote machine. You can then SSH through the tunnel to the otherwise inaccessible remote host. I always get mixed up with the commands for it, because you can also do it backwards or run a SOCKS proxy or some other thing, so I always resort to the manual. Nevertheless, once you know the command it's easy and I don't think there's anything particularly wrong with doing it this way if it provides adequate functionality. (And you can, in theory, use the SSH connection to install a VPN server!)

[TerryJC]

Patrick,

The consensus at the moment seems to be to use VPN. I spoke to Paul on the phone a short while ago and he believes that we should be able to run OpenVPN on the Webserver Pi. This Pi also runs the firewall between the River System sub-net (192.168.1.x) and the Office sub-net plus the webserver (nginx). That way we open a port on the Office Router and point it to the VPN Server's IP Address. Then on the firewall, we open a port to allow traffic to and from the VPN Server.

The main stumbling block at the moment is getting access to the Office Router admin account.

[Penri]

Hello all,

Unfortunately we have two trains operating at different speeds here.

I need to secure the trustees' agreement to allowing remote access and to provide some budget. I can't do that without a trustee's board meeting, which fortunately now will happen on Wednesday, it's the slow train.

I'm preparing myself to paint a bleak future for our projects if remote access is not available and will outline three potential ways forward: VPN, new land line and 3/4G data connection. I have to finalise some ballpark costs for the last two options, are there any costs involved with VPN in the way you currently envisage it, we should allow for something?

Having secured the board's approval we can them get on with finding the router's paperwork or quizzing the ISP (or potentially changing the ISP if we get no cooperation).

When the subject was first raised I was told that we were some weeks away from needing the facility, so have been operating on those timescales. I don't want to pressure the board if the facility is not going to be used.

By the way, Terry if there are any other arguments I can bring to bear to raise the pressure on the board they would be welcome, ie is the web server going to be functional if you can't access it, have you been asked to make any changes to its content?

The other train, moving as a much higher speed is us!

Hwyl

Penri

[TerryJC]

Penri,

Thanks for the info about the Router that you sent to me by email. I'll post it here for completeness:

Technicolor
TG582n
SN: CP1536VFNTN
GW: DSLWBC583ULE2
MAC: C4RA1D58E2AC

I have done a search on the Internet for this device and found a few things. First. It is now obsolete and appears to have first been used by UK ISPs (such as Plusnet and Zen) around 2012. I have been unable to get hold of a User Manual for it, but if we have the admin password, then the info I have obtained should allow us to set it up to do port forwarding, Unfortunately, that will need to be done by someone on site.

Here are links to some of the useful stuff that I've found:

Port Forwarding: https://support.aa.net.uk/Router_-_TG58 ... warding_UI
CLI Guide: https://support.aa.net.uk/images/3/33/T ... public.pdf

I'm preparing myself to paint a bleak future for our projects if remote access is not available and will outline three potential ways forward: VPN, new land line and 3/4G data connection. I have to finalise some ballpark costs for the last two options, are there any costs involved with VPN in the way you currently envisage it, we should allow for something?

Having secured the board's approval we can them get on with finding the router's paperwork or quizzing the ISP (or potentially changing the ISP if we get no cooperation).

There should be no cost associated with the preferred solution. Over the phone Paul has assured me that the Webserver Pi in the Railway Room Store has adequate performance to run the VPN Server in addition to the Webserver, Firewall and Audio Guide that it currently supports.

If we can't open up the Router (for whatever reason) then the minimal additional costs would be the those associated with switching ISP and / or putting a new Router in. The maximum are likely to be the 4G Dongle / Router solution as outlined earlier.

When the subject was first raised I was told that we were some weeks away from needing the facility, so have been operating on those timescales. I don't want to pressure the board if the facility is not going to be used.

It would still take som time to assemble a test rig and test it before deployment.

By the way, Terry if there are any other arguments I can bring to bear to raise the pressure on the board they would be welcome, ie is the web server going to be functional if you can't access it, have you been asked to make any changes to its content?

Apart from the current Requirement, the big argument for Remote Access is that we would be able to modify the files on the Webserver , eg quizzes and audio guides, without having to go on site.

Going forward, we would be able to download results from the River System instead of having to be on site.

I can't think of any other advantages at the moment. Anyone else got any thoughts?

[hamishmb]

I guess it would also allow us to update the river system software remotely going forwards, which would certainly make my life easier if debugging/quick fixing is needed.