-3

I am looking for a PCI or PCI Express based Network card with builtin VPN possibilities or a network card which allows to flash its firmware vyatta, ipcop , routeros or any similar os.

The idea is to allow remote support of a server system (access to its oob interface and os) even though the systems operating system is unable to boot correctly and setup the VPN connection by itself.

May this little drawing helps explaining it: enter image description here

Do you know if such cards exist? Do you have experience with such a setup?

grub
  • 1,118
  • 1
  • 7
  • 11
  • 2
    Firstly product, service, or learning material recommendations are off topic on serverfault as we make very clear when you sign up. Secondly why on earth would anyone make such a thing? Just use iLO/DRAC, if you need a VPN create it in the router - this model just doesn't make sense. – Chopper3 Apr 17 '15 at 11:33
  • I am very well aware of the fact that such a setup is not what should be done. Due to company restrictions we are not able to setup a "site to site" VPN but for support reasons we still need to have access to the OOB if the operating system itself encounters an error – grub Apr 17 '15 at 11:46
  • 1
    @grub I don't really understand how this could get around any company policy - it's a VPN, except you want to terminate it somewhere odd. Sounds to me like you need a jump box – Dan Apr 17 '15 at 11:48
  • @Dan The jump box goes into this direction. In the original design we had a second server which we used for support, monitoring, etc and of course as VPN termination. Now we need to bring everything running on one single box and the OOB support on OS failure is the last piece missing. – grub Apr 17 '15 at 11:56
  • 1
    @grub Sorry, but that's a non-existent and impossible model. You need to terminate your VPN elsewhere - on a router or whatever. – Dan Apr 17 '15 at 11:59

3 Answers3

1

If I understand this correctly, you want to access the OOB Management interface on a server from a remote location - is that correct?

I do this at a lot of clients sites, and I generally setup a VPN to their network router and then connect to the OOB management via that VPN (either production or management VLAN dependent on their setup). If the server OS is down, I can still get access.

On one occasion, I had a client where their OOB interface was NATd to a public IP address, and so could be accessed directly from anywhere subject to firewall rules. Not the ideal setup, but it was what they wanted.

Hope that helps. If I've misunderstood, please clarify

ChadH360
  • 404
  • 2
  • 3
  • This is correct. Unfortunately, eastablishing a VPN tunnel in between our company network and the customers network is not possible. Due to restriction in company policy the VPN tunnel must be established from the mentioned server to our network. As a consequence the OOB interface wont be reachable if the OS running on the server encounters a problem. – grub Apr 17 '15 at 11:44
  • What about their router establishing the VPN tunnel to your network instead? Or does it have to be just that specific server? Alternatively, either tell them they need to address their company policies, or may suffer as a result! – ChadH360 Apr 18 '15 at 13:58
1

Your company restriction excluding terminating a VPN on a dedicated device is not necessarily our problem. Other comments and answers have given you the best practice and standard approaches to this solution.

It sounds like you have a political issue and aren't given the tools necessary to do your job. Are you sure you've made the right case and justification to the decsion-makers involved?

The question is a bit of an X-Y problem because you're you've started at a pretty extreme position and didn't give much detail on the environment or hardware... (e.g. do you have multiple IP addresses available? Is there a firewall within your control? What type of server is this?)

Are you basically just looking for a secure IP KVM that can filter source addresses?

Try the Lantronix Spider and Power Unit (manual here)

enter image description here

ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • am unfortunately bound to customer wishes and therefore have not much other choice. In the meantime I was able to find a device which allows me to terminate the VPN directly on the network card itself. Its mainly about accessing the OOB Interface of the server (IPMI, KVM, Logs) – grub Apr 19 '15 at 14:53
  • @grub Do you with to share the _details_ of your solution? – ewwhite Apr 19 '15 at 18:13
  • still working on it. but close to a working solution – grub May 28 '15 at 14:37
1

As far as I understand the background of your question, you have 3 options to accomplish what you want:

  1. Use a IPMI - Card that supports some kind of VPN. For example, some of the DELL RAC Cards support openVPN or pptp (which is not good, anyway)

  2. Use a IPMI - Card with public IP (unsecure and dangerous!)

  3. Use a IPMI - Card and connect it directly to some small router with VPN functionality, for example Checkpoint 600 or whatever you'd like. Connect it with a crossover cable and nothing else (except some internet access, of course). It is like what you've initially asked for, not in one card but in two pieces, but this should not really be that much a problem?

However, it is impossible to flash IPCop or anything else like that directly onto a network card.

And, last but not least, if the policy forbidds the use of site-to-site VPN: You don't have to care because what you want is client-to-site VPN ;)

Sebastian
  • 241
  • 3
  • 7