alter3d at alter3d.ca
Mon Jun 2 14:13:40 UTC 2014
On 06/02/2014 08:26 AM, Randy Bush wrote:
>> I use OpenVPN to access an Admin/sandboxed network with insecure portals,
>> wiki, and ipmi.
> hmmmm. 'cept when it is the openvpn server's ipmi. but good hack. i
> may use it, as i already do openvpn. thanks.
What you can also do if you want to remove the dependence on the OpenVPN
server (e.g. smaller networks where the overhead would be high, or to
mitigate failures of the OpenVPN server) is to use your existing pattern
of whitelisting IPs using ACLs, but instead of modifying the rules all
the time, just run a small external server with a static IP, and allow
that IP access through all of your ACLs.
Amazon EC2 instances are great for this. Assign an Elastic IP (i.e.
static IP), and turn the instance on when you need it, shut it down when
you're done. If there happens to be a failure at Amazon right at the
same time you have a failure... spin up a new instance in a different
zone and give it the Elastic IP. No mucking about with ACLs, etc.
Costs a few cents to run for whatever length of time it takes to fix
your issue, and is reasonably secure (especially if you shut the box off
when you're not using it).
More information about the NANOG