Accessing hundreds of servers behind firewalls

Question

I'm currently have hundreds of debian servers around the country and to manage/support each of them I have to open SSH, HTTP & HTTPS ports on the routers. I'm looking for a solution where the servers connect to my office server and I can connect them back.

Obviously VPN is one way to go, but since the are too many servers I was looking for an alternative. In OpenVPN performance: how many concurrent clients are possible? it is mentioned a nodejs connection management solution, but I couldn't find anything on the net.

My requirements are:

Easy configuration
Good relative security
Reliable (to reconnect if the connection drops etc.)

What routers are you referring to? – devicenull Sep 16 '13 at 23:24 — devicenull, Sep 16 '13 at 23:24
You could look at commercial managed-service tools. – mfinni Sep 16 '13 at 23:40 — mfinni, Sep 16 '13 at 23:40

score 0 · Answer 1 · answered Sep 16 '13 at 23:18

If your office server has a static IP, then using port forwardings and firewall rules on the routers is probably the way to go. Set up port forwardings on each router, but only allow your office IP (range) to connect.

I'm looking for a solution where the servers connect to my office server and I can connect them back.

Check.

to be easily configured

Well, not really because you have to configure every router, but maybe there are ways to automate that?

On the other hand, getting VPN to reliably work in this situation might be more work than just configuring the routers.

to be secure

Without VPN it's of course not encrypted by default, but when you're using SSH and HTTPS that shouldn't be a problem. I'd consider the firewall rules to count as secure.

to be reliable (to reconnect if the connection drops etc.)

Check.

I'm already doing what you are proposing and it is too much work. Besides, those cheep routers reset themselves all the time, so this is not an option. I'm looking for a solution where the servers connect to my office server and I can connect to them. — Lukav, Sep 17 '13 at 08:09

score 0 · Accepted Answer · edited Apr 13 '17 at 12:14

Your best solution is a VPN as you've already surmised.

This requires a little more management than what you're currently doing: You will need to set up either a VPN client on the managed machines, or more realistically a VPN tunnel between the remote network and some central management hub that you administer.
If your clients have static IP addresses you can also VPN in to their networks from your management site.

Any decent VPN solution (OpenVPN, Cisco VPN concentrators, VPN tunnels from a PFSense firewall) can meet all of your requirements (They are "easy" to configure if you know what you're doing ; Any solution worth using supports some kind of security ; All can be configured to recover from connection drops).

In your particular case I would recommend eliminating "those cheap routers" and deploying a proper managed router with VPN support (PFSense, a NetScreen, any Cisco router with VPN capability).

You will be doing more work initially (configuring the routers, learning how to manage them), but the payoff after 3-6 months will be substantial: you'll be offering a new service that you can charge for (money is good), and you'll have better management capabilities for the existing work you do.

(If you clients already manage their own firewalls and have decent equipment you can also work with them to establish the tunnels or grant you VPN access, but it sounds like your clients are not at that level of capability...)

Accessing hundreds of servers behind firewalls

2 Answers2