I have some systems (Mostly CentOS 5 and some XP all running under ESXi) running behind my firewall. When I'm at friends, family or on vacation I sometimes want to connect to those systems over either SSH or RDP (which I can easily tunnel over SSH).
In the past (years ago) I had the SSH port fully open, but that caused me to be the target of a dictionary attack over the internet, so that's not an option.
The best option would be to install a VPN like OpenVPN but that means that I need to install a client on the computers of the family member I'm at. I don't want to do that and in case I'm on vacation it's not even possible. Also most internet cafes only allow http and https traffic, so any port other than that is not an option for that case.
I asked around and someone was suggested to use an HTTPS (SSL) based VPN which basically works by tunneling over SSL instead of SSH.
So I did some googleing and only found OpenVPN-ALS (aka Adito) which sounds good. I installed it, tried it and never got it to work very well under Linux (I probably did something wrong, gonna look into that anyway). I also noticed that this tool seems pretty 'dead' in terms of releases and commits to their sourceforge SVN.
My question is: Is OpenVPN-ALS (aka Adito) the way to go? Or is there a better solution for my requirements (that I can run for free for a single user (=me)) that I can run under CentOS 5 (32bit) or Windows XP (32bit)? Perhaps there is an "fully functional single user" version of a commercial product I can use?
Thanks,
Niels Basjes
If you install an SSH client at an internet cafe computer and log in, you're in trouble! The system owner can simply log your keystrokes when you type in your password. This is possible regardless of your access mechanisms: SSH, HTTPS, passwords, keyfiles... if you are not at a computer that you own, do not log into your sensitive systems.
For occasional light use, I recommend GotoSSH. They have a lifetime subscription option which is a low one-time fee, and it uses a web interface between you and their system. They use SSH between their system and your server, of course. Bear in mind that this system can be slow sometimes (Especially over a satellite link!) but it is easily used from other computers with no setup. For security, you can choose to only accept incoming SSH from their server IP. (It's on their website.) Hope this helps!
I would suggest going back to SSH and using port knocking as one option to consider.