0

I will be going on a 100 day (global) tour where we will be generating 1TB of video data per day. To mitigate risk of data loss we plan to drop one copy of hard disks with local volunteers in each country en route, who will upload the data from their home connections back to our server.

We don't want to open up the server to the whole world, and would like to restrict access to just those IPs that are uploading data to us, but the volunteers will mostly have dynamic IP addresses. How do we do this?

We are making a small application that will manage the data transfers, so we can do some custom logic in that.

EDIT: I just found out about Dynamic DNS services (like noip.com). Would it be fair to assume that most people's home routers would support DDNS configuration? Our infra person says that thay can configure our firewall whitelist to be based on this instead of IPs). This sounds like a simple, secure solution. Any thoughts?

swami
  • 145
  • 4
  • The more common business solution: run a vpn server as the only public service on your server. An alternative is port knocking as an extra security feature https://en.m.wikipedia.org/wiki/Port_knocking – Bob Jan 25 '22 at 11:57
  • @Bob port knocking - that sounds like a great option... don't know if fortinet supports it though – swami Jan 25 '22 at 13:09
  • Regarding your edit: Many products that allow entering trusted sources by their FQDN rather than IP-address do a DNS lookup once, when the list with hostnames is loaded and then internally continue to use the resulting IP-address. That may have unexpected results when the trusted sources are DDNS records with frequently changing IP-addresses... `ddns.example.org` is listed as trusted, but effectively only the old ip-address is trusted and not the current on. – Bob Jan 25 '22 at 15:00

1 Answers1

1

As @Bob says, the best way is to run a VPN server and have them use that.

But, another slightly creative way to do it would be to use something like AWS Lambda & API Gateway. Set up a Lambda to take the HTTP callers IP, and write it to an SQS queue. Then have something on the server that consumes that queue and updates the firewall. Protect the Lambda with an API key in API Gateway. Give the volunteers a script/program to run on a USB stick, they run the program, it triggers the update, then waits a bit and logs them in to the server.

That's all quite involved though, so fine if you're happy getting deep into the tech on this, but if you want something simple just set up OpenVPN/Wireguard on your server on a random port!

shearn89
  • 3,143
  • 2
  • 14
  • 39
  • That's exactly what I was thinking! But then I thought there might be a simpler way. Going through a VPN will reduce the speed (we need absolute maximum throughput possible) - and the data will be pre-encrypted so no in-transit security issues. What about Dynamic DNS config? – swami Jan 25 '22 at 12:47
  • 1
    Dynamic DNS would work for talking TO the server - I use that to update a subdomain for my own network, as my home IP sometimes changes from my ISP. Not sure it'll work for the clients though. WireGuard should be faster than VPN, so could be a good option. – shearn89 Jan 25 '22 at 14:02