2

I have a set a distributed set of devices running Ubuntu 12.04 that I am distributing to clients. I would like to manage them remotely. They may not have fixed IPs and potentially might be behind firewalls.

What I am planning to do is have the devices (permanently connected to the net) poll a request URL and based on the response open a reverse tunnel to my server, so that I can access them via that tunnel.

Most of what I read about reverse tunnel over SSH is for single use cases and very little about heavy production usage. Is there some reason for this, security issues? or stability?

Any help would be much obliged.

Markus
  • 121
  • 7
acid_crucifix
  • 123
  • 3
  • could you re-use the standard Ubuntu Remote Desktop Access facility? http://askubuntu.com/questions/305216/ubuntu-server-12-04-remote-desktop-access – johntellsall Jun 02 '14 at 18:27
  • 1
    The reason for so little information about mass reverse SSH tunnels is that it is the wrong solution to a specific problem. The right solution is using a VPN and SSH through the VPN in the normal way. – bjanssen Jun 02 '14 at 20:22
  • Thanks a lot, this is good info. I will definitely read about VPN through SSH – acid_crucifix Jun 02 '14 at 22:01
  • I like teamviewer, though i do not want a paid solution, i see it is free for private use atleast. – acid_crucifix Jun 02 '14 at 22:14
  • @acid_crucifix just curious what was your final implementation for this problem? – kaptan Mar 04 '17 at 02:17
  • @kaptan I ended up using almost exactly the openvpn setup defined by @ Linuxx in his answer. – acid_crucifix Mar 17 '17 at 09:48

1 Answers1

2

I have seen companies do this before. Barracuda Networks uses a "Support Tunnel" that is built into their UI that basically creates a reverse SSH tunnel. If you prefer something a bit more autonomous, then Google "persistent ssh tunnel". There are plenty of shell scripts out there.

Just keep in mind, if the reverse SSH ports on your support server are accessible on the internet, then you are exposing your customers/users to a security vulnerability that they might not have "signed up for". I would also make private key management a high priority. If you use the same PK's for all devices and that private key is compromised, then everyone is compromised.

I personally have used OpenVPN as a support tunnel (certificate authentication). The service is already persistent (out-of-the-box) and is very easy to setup. Again, key management is always a high priority. Everyone is issued a different certificate. I can always revoke the cert if things go bad. I also isolate my clients, so that they cant see/talk to eachother.

Good luck!

Linuxx
  • 161
  • 2
  • Hi, thanks for your answer. I am accepting it as the correct answer as you have given me examples of production usage. I guess i need to read a bit about using Open VPN before deciding further. Thanks for the idea on sandboxing as well. – acid_crucifix Jun 02 '14 at 22:06