I have a server sitting in a data center. It's running Linux. WAN interface on eth0 connected to the public Internet; LAN interface on eth1 connected to the data center's network on 10.0.0.0.
The machine is running a group of services on ports n, p and q; and a group of services on ports r, s and t.
It's firewalled on the WAN interface so nothing is open to the public internet.
I want users to be able to connect to the machine with OpenVPN (or whatever, don't care what as long as it's encrypted and secure). The users should be able to then connect to the services on ports n, p and q, but NOT to the services on ports r, s and t or the 10.0.0.0 network.
I also need to track bandwidth consumption by user. It would be a big bonus if I could cap the user per unit time (eg 1GB/week, 10GB/mo), and/or limit their sustained transfer rate (eg 100KB/sec); allowing them to burst faster would be really great, too.
I'm a total OpenVPN noob. I'm not even sure it's right for the task, though somebody suggested it. It's clear that using ssh wouldn't be a great solution, since it'd depend on a bunch of restrictions in the authorized_keys file and bandwidth monitoring/capping would be difficult.
I welcome any suggestions.