We have number of CentOS/RHEL5 servers in datacenter, which are secured with border firewall (basically, only http/https and ssh are allowed). Sometimes me (as systems administrator) & selected developers are required to connect to some local services.
Currently we are doing this by ssh proxying or by mapping some external ip:ports to internal one (to protocols which are supports encryption). But it's not always convenient to use ssh and I'd like to remove all custom firewall rules (for security reasons). So I need to use some vpn solution. OpenVPN seems to be fine and I think I'll stick with it. But I'm wondering if there are some (may be better?) alternatives. Requirements are:
- Allow simulations connections for 2-5 users.
- Users should have separate accounts (username/password and/or cert)
- Total number of users: I believe not more than 10
- It should work perfectly under Windows XP/Vista/7 and any Linux
- Server should work perfectly on one of our CentOS servers
- I need to have ability to remove user account/invalidate cert
- It should be opensource or at least free
- (optional) user should have ability to re-issue cert and/or change password without my attention.
OpenVPN is a very flexible VPN solution that has sufficed our needs very well. I'd say go with it.
openvpn works great for this situation. You just generate a cert for each user (with the provided shell scripts). You can either do pem certs that don't need a passwd to connect, or require a passwd).
if it is just 10 people, then a radius server is way overblown.
Any modern machine would suffice.
EDIT: not 100% sure how they could change their passwd on their own.
best way for your is solution with radius server with some web-interface for cert generation, password recovery, password change, add/delete users. and OvenVPN server can use external radius server verification.
This is not a good idea - you shouldn't be making ad-hoc changes to your firewall - it's too easy to make a mistake.
Why not?
Certainly a certificate based solution is (IMHO) a lot easier to imlpement a distributed management framework than ssh (there is a patch to use ssl certs with openssh).
That makes it a lot more difficult.
Just how many services are we talking about here? If it were me I'd probably just go for stunnel wrapping on the services you want to make available with your own CA and client certificate verification.