James, As you can see we don't pretend to have all the details worked out :)
We hope that this incentive help encourages a public feedback loop between ideas and implementations like this thread. On Wed, Jul 3, 2013 at 4:38 AM, George Hunt <georgejh...@gmail.com> wrote: > The central openvpn server would be configured to pass out local > (unroutable in the wider internet) addresses in the 10.0.0.0/8 subnet to > each client. > > There would be one public/private key pair distributed with the XSCE > software distribution, for testing. The server would be configured to > accept multiple conections from the same key pair. Effectively this would > create a "party line', where everyone who had access to the key pair, would > have access to the "party line". Then they would be able to ping all the > other XSCE servers, on the local 10.0.0.0/8 virtual private network > (which is worldwide) -- assuming that the firewalls were set to enable ping > responses. And they could log into any servers on that party line, for > which they had ssh authentication credentials. > > Then, most likely with passwords turned off, deployments could use > public/private key pairs they generate themselves to access their own > servers. > > For an additional level of security, deployments could contact > activitycentral to get their own public/private key pairs, one for each > machine, and a config file which connects to different ports, openvpn > instances, virtual box instances, or whole physical machines. > > At the extreme, a deployment could have it's own virtual private network, > protected by key pairs known only to itself, on it's own machine, running > under lock and key, in its own back room, and then ssh (password or key > pair) connection to each of its machines. > > George > George > > > On Wed, Jul 3, 2013 at 4:36 AM, Anish Mangal <an...@activitycentral.com>wrote: > >> >> >> On Wed, Jul 3, 2013 at 1:54 PM, James Cameron <qu...@laptop.org> wrote: >> >>> On Wed, Jul 03, 2013 at 12:45:35PM +0530, Anish Mangal wrote: >>> > James wrote: >>> > > Would the person accessing their XSCE remotely then establish >>> > > another tunnel to your OpenVPN server, or would your server do >>> > > inbound connection forwarding? >>> > >>> > Hmm. I'm not so clear on that. I can give the example of a setup in >>> > Bhagmalpur (a pilot we recently did). >>> > >>> > 1. There is an openVPN server hosted by Sameer. >>> > 2. The XSCE when connected to the internet dials into this open vpn >>> > server. >>> >>> Thanks, I understand the first two steps, and they sound good. >>> >>> > 3. I can login to the XSCE through the openVPN connection through >>> > ssh and administer remotely. >>> >>> How is this last step achieved? There's much flexibility, so I'm >>> curious. I imagine one of three methods: >>> >>> a. does the user first SSH into an account on the OpenVPN server and >>> then SSH again to the XSCE, or; >>> >>> b. does the user SSH to a particular port on the OpenVPN server that >>> is automatically forwarded to the XSCE, or; >>> >>> c. does the XSCE have a routable IP address, courtesy of the OpenVPN >>> server, to which SSH is directed? >>> >>> >> I'm not sure... let me explain (perhaps Sameer or Santi can chime in)... >> >> I have a set of openVPN keys on may laptop through which I connect to the >> openVPN server automatically (and a network called tun0 is created) >> >> I know the IP address of the XSCE in Bpur >> >> So, from my laptop, I just do ssh root@<ip address of XSCE on the >> openVPN network> >> >> Does it make things any clearer? >> >> >>> -- >>> James Cameron >>> http://quozl.linux.org.au/ >>> >> >> >> _______________________________________________ >> support-gang mailing list >> support-g...@lists.laptop.org >> http://lists.laptop.org/listinfo/support-gang >> >> > -- David Farning Activity Central: http://www.activitycentral.com
_______________________________________________ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel