6
Secure VPN for IPMI Access
Idea shared by david Cox - May 14, 2014 at 2:50 PM
Completed
I would like to see more hosts adopt the practice of providing a VPN bridge to a private subnet for IPMI interfaces to sit on.

6 Replies

Reply to Thread
0
Radic D. Replied
May 14, 2014 at 3:01 PM
Employee Post
David,
 
Thanks for the proposition, this is something that we are planning to accomplish in 2014. 
 
Thank you.
1
Radic D. Replied
June 26, 2014 at 12:57 AM
Employee Post
David,
 
This project is currently in progress. We have completed testing and the move of a single cabinet IPMI behind a VPN. The rest of the IPMI will be migrated over in the upcoming weeks. You will immediately see the change in your dedicated panel once your IPMI has been migrated over behind the VPN. 
0
Aaron Hawker Replied
June 30, 2014 at 9:57 PM
Looks like I'm one of the effected people and am having no end of troubles connecting to the VPN, although I can ping the VPN IP.
 
On a Mac it attempts to connect then fails.  On windows it attempts to connect then spits an error 800 VPN Server unreachable.
 
I've turned off all firewalls and put the machine in a DMZ to be sure... I've also tried multiple machines and multiple internet connections.  Either I'm doing something wrong completely or something isn't working?
 
Geo blocking?  IP Restrictions?  Encryption type?
 
Is it possible to have a step by step walkthrough of the setup process or am I able to call someone to step through the setup process?
1
Radic D. Replied
July 3, 2014 at 8:30 PM
Employee Post
About 50% of our servers have been moved behind the KVM. We anticipate the completion of this project to be next week (by July 12th). 
0
Aaron Hawker Replied
July 4, 2014 at 3:45 AM
Is there any way to reboot a dedicated server without using IPMI?
 
Access to a machine that allows VPN (especially if I'm at a worksite that doesn't allow that level of access) isn't always as simple as it might seem.
0
sietecFAST sysAdmin Replied
July 15 at 6:22 PM
Is there any update on this, or has the idea been canned?  With the last reply being over 4 years ago, I'm assuming it's dead...but I'd love to hear it's not!  The 24 hour switch on the KVM is very very annoying and, if there were VPN access (or even if the clients could create their own ASA/OpenSWAN/PPTP/L2TP/etc. VPN, we have no private network to connect to.  I did notice the KVM's are in RFC1918 space, but apparently behind a load balancer/NGINX/etc.
 
Also, why is there a 24 hour time limit when it is only accessible from a SINGLE IP address anyway?  That is super limiting and the portal defaults to trying to grant access to IPv6 if we're connected to the portal v6 address, but the IPMI doesn't support IPv6.  Thus, each time, we have to enter in the IPv4 address manually and enable it.
 
Thanks.

Reply to Thread