2

I have a server sitting in a data center. It's running Linux. WAN interface on eth0 connected to the public Internet; LAN interface on eth1 connected to the data center's network on 10.0.0.0.

The machine is running a group of services on ports n, p and q; and a group of services on ports r, s and t.

It's firewalled on the WAN interface so nothing is open to the public internet.

I want users to be able to connect to the machine with OpenVPN (or whatever, don't care what as long as it's encrypted and secure). The users should be able to then connect to the services on ports n, p and q, but NOT to the services on ports r, s and t or the 10.0.0.0 network.

I also need to track bandwidth consumption by user. It would be a big bonus if I could cap the user per unit time (eg 1GB/week, 10GB/mo), and/or limit their sustained transfer rate (eg 100KB/sec); allowing them to burst faster would be really great, too.

I'm a total OpenVPN noob. I'm not even sure it's right for the task, though somebody suggested it. It's clear that using ssh wouldn't be a great solution, since it'd depend on a bunch of restrictions in the authorized_keys file and bandwidth monitoring/capping would be difficult.

I welcome any suggestions.

taiganaut
  • 23
  • 3

2 Answers2

0

OpenVPN will get you basic connectivity from the client to the host. From there, it's just a matter of configuring iptables or your firewall of choice to allow traffic to the services and devices you want available. OpenVPN uses its own TAP/TUN interface and a separate network, so you should be able to create rules to lock down traffic to just about anything you want to.

You will need to use some other tools to get the bandwidth consumption. Maybe someone else can chime in on that.

Jim G.
  • 2,607
  • 1
  • 18
  • 19
0

OpenVPN will not do - it can do the dial in, not the rest.

You basically need a proper VPN endpoint that has all functionality. I would put up a server for that - with Mikrotik RouterOS, likely a Miktrotik 1xxx router, they are quite cheap and can do all that.

If you like hand doing it, get Linux and get complex wwith IpTables for firewalling (port limitation) and a LOT of other software for bandwidth control.

TomTom
  • 50,857
  • 7
  • 52
  • 134
  • I should mention it's a cloud host, so anything I do will need to be in software -- and given the cost structure, probably on the same box. Thanks for the information! – taiganaut Jun 25 '12 at 04:54
  • Well, RouterOS can also be purchased for Intel installation: Isn't it always funny how "Cloud computing" comes back as a bad solution for pretty much most non trivial cases? I am all for cloud computing, but I run a private cloud where I control the hardware. A LOT cheaper. – TomTom Jun 25 '12 at 04:56