[TriLUG] linode, VPN, SSH

Igor Partola igor at igorpartola.com
Wed Aug 27 17:23:00 EDT 2014 

Tom,

I did not understand quite how complicated your previous setup was, so let
me voice my concerns. I do not have a good understanding of all the moving
pieces (especially the F5 VPN plugin), so I cannot provide all (most? any?)
of the answers.

0. A Linode box is just a virtual server. There is nothing particularly
special about it. It is "cloud computing" in that no person is involved in
starting up this virtual server: a script does it when you click a button
on their dashboard. There are many such virtual server providers, Linode is
just slightly older. I personally like Digital Ocean since they are
cheaper, but that makes no real difference here.

1. If I am reading what your are saying correctly, you want to install a
GUI on the Linode box. That seems to me to be a bad idea. Their boxes won't
be fast enough to run a GUI (well, the expensive ones will be but at those
prices you might as well just get a static IP from TWC or whoever). Also,
if that's what you end up doing, you don't need to connect from your
workstation to the Linode box via OpenVPN: just SSH to it.

2. The solution you could explore, though this is fraught with peril, is
running an OpenVPN connection from workstation to Linode, then running F5
VPN over that to $WORK. I don't know if layering VPN connections would work
like this, but it might since you say the F5 VPN is an in-browser SSL VPN.

3. Another alternative is to just set up an SSH SOCKS tunnel, such that the
F5 VPN from your workstation connects to $WORK through the Linode box.
Heck, theoretically you don't even need SSH since the F5 VPN will encrypt
all traffic end-to-end (laptop-to-$WORK).

4. Let's pause and thing about how insane this situation is: we are talking
about wrapping an encrypted SSH connection into an SSL VPN connection,
which will then be wrapped into an OpenVPN connection? SECOORITY!

5. Seriously, try Digital Ocean, especially since you can use
https://www.tinfoilsecurity.com/vpn/new. Warning: set up a new account so
that you can be sure that Tin Foil Security doesn't steal your DO API key.
Use my referral code to get free $10-worth of services:
https://www.digitalocean.com/?refcode=e4c665418121
 (that's 2 months of the cheapest virtual server). Note that DO bills by
the hour up to the monthly limit, so you can run some tests for under a
buck.

6. Never copy your private key onto a remote server. Personally, I feel
secure enough copying the same key between 2-3 different workstations I
use, but not to a server where someone else has root. Use ssh-agent for
that.

Hope that clears up more things that it confuses.

Igor

More information about the TriLUG mailing list