Remote admin behind NAT

**ojaro** · 04-03-2010

Hi all,

I am looking for a solution that would allow me to remote admin (console access would be fine) Linux devices that are behind NAT router / firewall.

Reverse SSH tunnels look promising, however I am looking to have hundreds of devices and assume with reverse SSH this could be only either achieved by having a different source domain each or different port per device, which is not scalable.

Does anyone know if there would be way to manage multiple devices with single reverse SSH tunnel source or some other technology that would give me an access to Linux devices when behind NAT?

Regards,

Olli

***Irithori*** · 04-03-2010

For hundreds of devices individual tunnels are too much work.

You could consider installing OpenVPN on the router/firewall.

**ojaro** · 04-03-2010

Thanks for the reply. The devices are in networks that I have no control over, so cannot install or configure anything on the router/firewall.

Would it be possible e.g. to write a server side program that would open two way socket when contacted from the device and then you could issue shell commands through this socket?

Regards,

Olli

**zombykillah** · 04-03-2010

But you could install openVPN on the clients of the networks ...
So they connect too your server within the internet and get an IP there.

You could configure them so that you local computer seems to be in the same network.

Example:
The - clients you wanna controll are in a private network: 10.0.0.0/24
You create a VPN Network with the private address pool: 10.0.1.0/24
Your local router is the VPN Server all the client computers connect to it automaticly.
So you can access them with the ips 10.0.1.1 - 10.0.1.100

That way you don't need any unsecured open ports in the Internet ... just one openVPN Server ... only access-able with the 100 keys the clients got.

**coopstah13** · 04-03-2010

Originally Posted by ojaro

Thanks for the reply. The devices are in networks that I have no control over, so cannot install or configure anything on the router/firewall.

Zombykilla, OP already posted that they cannot do something like this as they have no control over router/firewall, which would be needed to set up a VPN

**zombykillah** · 04-03-2010

You don't need the control over the router.
The connection is started by the clients behind the firewall... so the replies from your "control" Computer / VPN Server will pass the firewall as established connection.
The only thing you may need to set is that the connection uses tcp instead of udp.

**Lazydog** · 04-03-2010

If these devices are all on the same network you only need to worry about access to one server. From there you should be able to ssh into the others.

**ojaro** · 04-04-2010

Ok. Looks like I should do some testing with OpenVPN then

Any view on maximum number of clients? Also, what is the best practive to indentify each device? If I know their MAC accesses can I find somehow which IP belongs to which MAC?

Regards,

Olli

**ojaro** · 04-04-2010

Aah, reading OpenVPN documentation the client IP address can be defined when creating the connection, so assume I could just maintain a database of devices and IPs.

Olli

***Irithori*** · 04-04-2010

*Hint* Client certificates *Hint*

Thread Tools

Display

Remote admin behind NAT

Posting Permissions