I'm working on a software appliance based on linux platform. I want to have a secured way of reaching every installed appliance over the Internet for remote debugging and support. In order to traverse NAT and to be able to simply connect to the appliance I was thinking about OpenVPN as a solution. Problem is that I can't ship a single certificate with the appliance image and have all everyone connected with it since openvpn will not allow more than one session per certificate.
Another issue is isolation between the VPN clients so that one client won't be able to connect to the other. how can that be achieved. Thanks
Are you certain you really want the appliance to open up for you unconditionally? Shouldn't that be some easily accessible function during first boot? When the user/customer wants to have the support channel, the certificate could be emailed, encrypted with your public key (so only your secret key can decrypt and save it to the vpn server).
At your end it should be easy to match these emails and process them automatically.
try Miredo to give every appliance a globaly routable IPv6 number. Add a dynamic DNS, or your own registration database, and you're good to go.
but on second thought, it might be easier to just generate the client certificates for OpenVPN on first run.
You can generate the OpenVPN client certs on building the image if the server is configured with --duplicate-cn. Then you have networking to the appliances and can get a new certificate signed with a real ca or whatever you want to do... it's probably not a great idea to keep running with a defaulted certificate on every appliance.
The Miredo idea is orthogonal... that may very likely help you get connected in the first place, since Miredo can get through many NATs that OpenVPN can't.