Scalable and simple VPN solution for embedded devices

0

I'm looking for some sort of VPN solution with the following requirements:

  • Server should be available for a Window Server 2008+
  • Client should be available for Debian Linux
  • Light-weight and scalable, easy to setup hundreds or thousands of clients (devices)
  • Should be possible to query the server for a list active clients and their addresses

The purpose of the VPN is mainly to be able to maintain lots of embedded devices through SSH. The client devices are not used by people, they perform other dedicated tasks. It will also be used to push data to the clients when certain events occur.

Currently I'm using LogMeIn Hamachi which is working okay, but we are looking for an alternative since we want to be able to manage the server ourselves and run potentially thousands of clients/devices.

I have been looking into OpenVPN which could work, but it seems troublesome to setup certificates for each client. It also seems to be difficult to list active clients.

Does anybody know any good VPN solutions for this? Or different approaches?

Thanks

Theodor

Posted 2013-08-07T06:17:15.257

Reputation: 3

Answers

1

i would recommend OpenVPN too.

  • list of connected devices: enable the status log file in your config and you get a list of connected clients.

  • setup certificates: the biggest problem is to get the certificates on the according devices, maybe the production process for your embedded devices has some place for it.

harry

Posted 2013-08-07T06:17:15.257

Reputation: 26

I would prefer if the client-devices only needed a password to connect to the VPN since certificate generation makes it troublesome to add and remove devices quickly. It would also be nice if I could programmatically read the list of clients, rather than scanning files or connecting through telnet. But it may be that OpenVPN is the best option, I will look in to it more, thanks. – Theodor – 2013-08-07T08:56:31.707

the status file is a comma separated list and can be easily parsed with any programming language. certificate revocation allows you to easily remove devices. – harry – 2013-08-07T09:26:47.013

Ok after more searching I cant really ind any better alternatives. I will go for OpenVpn and parse the status file. – Theodor – 2013-08-08T16:46:14.987

1

OpenVPN works fine for this. If you happen to be using Puppet for managing your embedded devices, then you can re-uses your the certificates that get issued to your puppet certificates for your OpenVPN configuration.

Listing active clients on an OpenVPN server is pretty easy, just enable the management port, connect to it with telnet/netcat and request the list of active clients.

If you are using puppet, then another alternative would be to skip the VPN, and to use MCollective or one of the similar tools.

Zoredache

Posted 2013-08-07T06:17:15.257

Reputation: 18 453

I haven't heard of Puppet, it look interesting but I think it might be a bit overkill for us at this point. But thanks for the tip, I will look into it more. I'm looking for something very simple to just to be able to connect to the devices with SSH and check their status in case there is problems with our software which they are running. – Theodor – 2013-08-07T09:03:59.510

Asked: 2013-08-07T06:17:15.257

Viewed: 1 356 times

Active: 2013-08-07T07:05:17.917