Connecting to a server remotely from various IPs

Bes · 30 Jul 2011 at 13:17

Hi,

I have various servers for my business that I need to access from various IPs all over the world (I travel a lot).

At the moment, say I want to use SQLWorkbench to update my DB, I have a method that allows me to get my PC's IP, add it to my server's allow list, and then log in. However, as the number of platforms and services I have to access in this manner grows, it is becoming more and more of a pain in the arse, and a security risk.

What I want is a VPN will give me a static IP which I can then use to get to my servers, allowing me to truly lock down everything to just a single IP.... The problem (even at home) is that my IP is static (thanks BT!!), so I cannot see another way of doing this:

1) Is this the best way of doing what I want?
2) Can anyone recommend a fast and reliable VPN service I can sign up to?

Thanks

Bes · 2 Aug 2011 at 13:09

Yes bit of an issue that BT don't seem to want to give out static IPs, my budget is pretty much nothing for this

I think I am going to have to try and convert my residential Infinity line to a BT Business Infinity line and then pay for a static IP, and do the teamviewer thing as suggested above.

Thanks

Bes · 3 Aug 2011 at 21:24

derfderfley said:
OK no cost option it is then.

Use a service like no-ip or dyndns (both offer free services) to enable you to connect from anywhere without you having know what IP address you currently have at home. And then set a openvpn (free client and server available for win/mac/linux) server on your machine and connect in via a VPN that way.
Looks like it's doable, might be a bit fiddly though. If you get it working, make a post and share your experiences

Awesome thanks, I shall have a play over the coming days

Bes · 14 Aug 2011 at 12:52

Ok here's the plan:

I have an HP Microserver arriving on Monday, so I think this is what I need to do:

1) Set up DynDNS on my BT homehub.

2) Install a VPN server on my microserver... I am thinking of using VMWare ESXi and running OpenVPN as a virtual appliance (https://www.vmware.com/tryvmware/index.php?p=free-esxi&lp=1) This would allow me to VPN from my laptop anywhere to my BT line at home. I then just initiate a VPN connection from my laptop to my DynDNS hostname.

3) Allowing FTP/ SSH/ admin page connections through to my hosted web servers from my dyndns hostname only.

Have I got that right?

Thanks

Bes · 15 Aug 2011 at 22:16

Lithium said:
It would work as long as you can restrict access on the endpoint to that forward DNS address.

That in itself means it needs to do a DNS lookup with every single connection attempt, which on an open server with open ports could mean LOTS of lookups and potential for abuse. So you would then ned to look at more advanced ACLs which would block excessive connections/lookups.

It also means it relies on DNS resolution, could fail. Also relies on dyndns working and your BT adsl, and your server etc...

There are just too many weak links there for me.

The idea is right... what you described is often called a jump box. These are single points of entry which you connect into which then allow you to jump onto the rest of the network.

I do a fair bit of ad-hoc consultancy for a few companies and I basically rely on 2 linux servers, i give them those IP's and then I just SSH/tunnel into those servers and go from there. It can be a security risk but every company I connect to has additional layers of security, it's not just an all areas access pass.

Even a basic VM hosted somewhere like vps.net would do.

Restricting access to that one hostname is not a problem. Basically the server hosts a web application which is open to the public. Services like SFTP/ SSH, and access to the admin pages (in a separate directory) are what we are trying to restrict. This can be done using .htaccess to only allow access from the dyndns hostname. I don't think the risk of DNS going down is that high.

The only port I am forwarding on my BT HomeHub is whichever port OpenDNS uses. (so not lots of open ports).

And as for the lots of DNS lookups on our end server, I basically have 3 potential clients who want to connect to it (Me, the developer, and whoever is doing the day- to- day work on our servers), there is always potential for 'lots and lots' of DNS lookups, so I don't know how this is any worse than anything else? Maybe I am missing something here?

Thanks

Bes · 16 Aug 2011 at 16:30

Lithium said:
The default behaviour when restricting access to a hostname is to do a double lookup.

First it does a reverse (PTR) lookup and then it does a forward lookup on that hostname to ensure it matches.

That in itself won't work for you because BT won't change your PTR record.

So you need to just do an A lookup for each request and take that IP address and accept only that. Never done it, I'm sure there is an apache module somewhere that can do that, but it's not standard.

As for the DNS lookups, it's just my personal preference that I never do DNS lookups on incoming connections. There is so much background traffic on the net these days that any open ports are gonna get hit all times of the day and so your box is just gonna be doing all these useless lookups. And like I say, it's then not hard to abuse it by opening lots of connections to the box which then cause it to hammer it's DNS resolver.

So if you do decide to do that some form of ACL/spam protection is suggested.

Yes that makes sense.

It seems like derfderfley's idea (which is what I was going to attempt) is going to cause these extra DNS lookups then.

Looks like this is impossible to do without cost then. £20 is a lot just for an environment to run a VPN server from. Is there a cheaper way of achieving something like this? I guess I need an unmanaged/ free reign on a VDS, or need to go to a BT business line if they will let me.

Thanks