We use PFSense software on PC hardware. PFSense implements several
different VPN arrangements but we are using IP/SEC since it is one of
the very few that hasn't been hacked. Some one I know was looking at
Ubiquiti Cloud Key remote and I did a search for exploits and it has
been listed as having "Critical" level hacks. Not sure about their edge
routers but you should search for exploits for whatever equipment you
use that interfaces the Internet.
Bill Putney - WB6RFW
District 2 Commissioner - Port of Port Townsend
Chief Engineer - KPTZ
El Jefe de Contenido - Port Townsend Film Festival
Private Pilot-Single Engine Land | Airframe & Powerplant / Inspection
Authorization
On 2/5/18 3:48 AM, Andy Higginson wrote:
This is probably going off at a slight tangent but....
I was looking at Ubiquiti EdgeRouters over the weekend. They might be
an interesting option for getting things up and running for VPN work.
It is often said that you should keep your office network and music
network separate. However, if you are trying to access the Rivendell
machines remotely, you need to have internet access to them, even if
it is through a VPN. The Edgerouters (even the cheapest model the
lite) have multiple subnets and routing on them. The lite comes with
3 ports - eth0 for the WAN, eth1 for LAN 192.168.101.x and eth2 for
LAN 192.168.102.x. Now I don't know what routing it does between
ports eth1 and eth2 but it does seem to me that you could use this to
allow both of the station networks to access the internet via this
router. It also has the ability to run a VPN as well so you should be
able to access the Music network from the outside world. How well
they run and how they would perform in this context is not something
that I would know. However I would be interested if anyone has some
input.
https://www.ubnt.com/edgemax/edgerouter-lite/
https://www.smallnetbuilder.com/lanwan/lanwan-reviews/33111-ubiquiti-edgerouter-lite-revisited
Of course, one of the things with getting a VPN up and running is that
you could use this for storing a remote off site backup with a NAS
drive. That's something for another discussion.
Andy
---- On Mon, 05 Feb 2018 10:06:45 +0000 *James Greenlee
<ja...@madsonics.com>* wrote ----
Isn't this what the Server/Client model is all about?
In our deployment, our main studio is located in another town from
the owner and myself. There's a "server" at the main studio (which
is also the active RDAirPlay host), and workstations at both my
location and the owners location. All of our networks (two home
locations, the main studio, and translator sites), are linked
together with VPNs across the internet.
The good:
We don't have to drive 30 miles to the main studio to make
schedule changes or add/remove content from the Rivendell system.
The bad:
It's painfully slow doing anything in Rivendell that's not on a
local LAN.
There are no issues with all of the Rivendell systems running at
the same time provided you don't work on the same thing from two
different locations. Even if you do though, the last change would
win. With the remote workstations, we're able to maintain content,
create and edit clocks/logs, pull reports...Pretty much everything
you can do locally with Rivendell, it's just slower. The speed
penalty is due to network latency. Two things we use to make this
easier for us: a NAS (with NFS mounts for the Rivendell Server),
and an IP KVM (from Avocent) that gives us a remote console to the
Rivendell box for operating it as if we were right there in the
studio.
The "glue" that makes this all happen is the VPN. There are
volumes written on VPNs, network security, remote access
technologies and they go far beyond the scope of Rivendell itself.
I would not recommend running a VPN directly on the Rivendell host
and instead build up a VPN on your network router, or use a VPN
service to tie your networks together. Keep in mind your security
requirements and trust between your partners network and your own
(in a site-to-site VPN, any computer on either side of the VPN has
access to all network devices on all VPN end-points).
James
----- Original Message -----
From: "Cowboy" <c...@cwf1.com <mailto:c...@cwf1.com>>
To: "Rivendell-Dev" <rivendell-dev@lists.rivendellaudio.org
<mailto:rivendell-dev@lists.rivendellaudio.org>>
Sent: Saturday, February 3, 2018 1:47:01 PM
Subject: Re: [RDD] Guidance on remote machine access
On Saturday 03 February 2018 12:07:20 pm Rich Lawrence wrote:
> Hello all.
> I have a partner helping with my streaming station and I would
like him to be able to access the main database, which is housed
at my location, from a remote machine at his location.
> This is mostly going to be used for adding new music, promos,
etc. Voice tracking is something g later down the line, but the
priority is the former.
> I’m running 2.10.3 on Ubuntu 12, and would like some suggestions
on the best way to accomplish what I am looking to do.
"Access the main database" could be taken a few ways.
Literally...
I would first offer an EXTREME CAUTION doing this !!
The likelihood of completely trashing your database, resulting in
the loss of EVERYTHING is not trivial !
Fred and I have discussed this many times.
The problem is two people accessing the same thing at the same time.
Which is the "valid" data ? The first one to commit, or the last
one to commit,
neither being aware of the other, thus commiting conflicting data.
OK, got that ? You have been warned !
Figuratively, meaning able to work with the system, and not
directly access the database.
You could add his remote host, assuming he has a public IP on that
machine,
the same as any other. I'd strongly recommend against, as it
involves a good
deal of risky exposure at both ends, but you're not exposing your
database
directly on the open internet.
Across a VPN this should work easily.
Setting up a VPN on an unfamiliar OS ( Ubuntu ) is beyond me, but
once done
his remote machine is "local" as far as the system is concerned,
albeit slower.
Probably, you'd actually be creating the VPN firewall to firewall
so that the
Rivendell machines don't even need be aware it's not physically local.
You could give him remote access to a local workstation via ssh -X
Safer, but not without pitfalls, as music and such would have to
be first
transfered onto that machine, then imported "locally" at your
location though
he'd be the one actually doing it via remote access.
That's probably the way I'd approach it, based on familiarity
though the
idea of a VPN approach is probably the better way.
--
Cowboy
http://cowboy.cwf1.com
This Fortue Examined By INSPECTOR NO. 2-14
_______________________________________________
Rivendell-dev mailing list
Rivendell-dev@lists.rivendellaudio.org
<mailto:Rivendell-dev@lists.rivendellaudio.org>
http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev
_______________________________________________
Rivendell-dev mailing list
Rivendell-dev@lists.rivendellaudio.org
<mailto:Rivendell-dev@lists.rivendellaudio.org>
http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev
_______________________________________________
Rivendell-dev mailing list
Rivendell-dev@lists.rivendellaudio.org
http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev
_______________________________________________
Rivendell-dev mailing list
Rivendell-dev@lists.rivendellaudio.org
http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev