Advice for Creating a "Command and Control" Server?

RevennaFox

Member


Messages: 22

I have a problem that I think FreeBSD can solve for me. I have routers at various off-site locations that I need to be able to log into via SSH for monitoring, configuration, and maintenance. The problem is that none of the routers have static IP addresses, some of them are behind carrier NAT and firewalls, and some of the routers even have the same public IP address. I do have a FreeBSD server with a permanent public IP address and no ports blocked.
I'm thinking it would be easiest to create tunnels from the routers to the FreeBSD machine, but given the large number of options and the infinite configurations possible I felt it best to seek expert guidance first. The routers support EOIP, VPLS, OpenVPN, GRE, L2TP, PPP, and SSTP. As far as usage goes, the tunnels will be firewalled off from the users and carry only SSH management traffic. I'll be logging into the routers from the FreeBSD machine. I'd like to have a single interface/address on the FreeBSD machine and each router should have it's own IP address on the virtual network. I don't need layer 2 access.
What would you recommend and how would you recommend setting this up?
 

covacat

Daemon

Reaction score: 795
Messages: 1,454

i also have such a setup with openvpn
most of the clients are asus consumer routers with openvpn support
it works very well with some annoyances from the asus routers (they nat their lans thru the tunnel and i dont want that)
otherwise i find it easier to manage than ipsec
 
OP
RevennaFox

RevennaFox

Member


Messages: 22

I think I came up with a good working solution using OpenVPN. I was having issues connecting at first, but it turned out that I had the encryption set to the wrong value in the router, it uses Blowfish128 by default, instead of the AES256 OpenVPN was expecting. I also had a rough time with the certificates, but that's mostly because OpenSSL documentation gives me a headache. I found an excellent tutorial for setting up an OpenVPN server on FreeBSD and eventually worked through it.

Since I'm not really going to be routing any traffic from the clients, my implementation differs from the tutorial in a few ways. I didn't need to add anything for routing in rc.conf. This is the condensed config file I used.

Code:
# Local address
local 100.100.100.100

# TCP/UDP port
port 1194

# TCP or UDP server?
proto tcp

# Layer 3 tunnel
dev tun

ca /usr/local/etc/openvpn/server/ca.crt
cert /usr/local/etc/openvpn/server/issued/server.crt
key /usr/local/etc/openvpn/server/private/server.key

# Diffie hellman parameters.
dh /usr/local/etc/openvpn/server/dh.pem

# Network topology
topology subnet

# Server mode and address range for subnet
server 10.64.0.0 255.255.0.0

# Maintain a record of client <-> virtual IP address
# associations in this file. 
ifconfig-pool-persist /root/ipp.txt

# Ping every 30 seconds and assume peer is disconnected if no response after 240 seconds
keepalive 30 240

# Cryptographic cipher
cipher AES-256-CBC

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 1000

# Reduced privileges
user nobody
group nobody

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# Log file verbosity.
verb 3

If it's of any interest, the routers I'm using are running RouterOS, this is how I configured them
Code:
/certificate
import ca.crt password
import client.crt password
import client.key password
/interface ovpn-client
add certificate=ca.crt_0
add certificate=client.crt_0
set cipher=aes256
add name=ovpn-client1 connect-to=100.100.100.100 user=client
set disabled=no

Right now each client is getting an IP address from the server, none of the clients can talk to, or are aware of each other, the connection is routed instead of bridged so I'm not getting a bunch of unnecessary traffic, and most importantly I can log into the routers via SSH from the FreeBSD machine, all of which is pretty much ideal for my situation. Thank you very much.
 

sko

Aspiring Daemon

Reaction score: 551
Messages: 876

for monitoring, configuration, and maintenance
This sounds like the classic requirements for standard (agent-based) orchestration + monitorig tools.

For orchestration you can have a look at the usual suspects: ansible, chef, puppet - all can work in push or pull direction. Ansible works without an agent on the remote side, pull functionality is (was?) achieved via git + cronjobs. Chef and puppet are using an agent that runs on the target host. All support connection over SSH or with TLS.

For monitoring I can highly recommend zabbix - it's agent also works in both directions (active vs passive checks) and natively supports authentication and TLS encryption. Especially its discovery funktions makes it ideal if you have a lot of (mostly) identical targets to monitor. Just create a template and every agent that connects to the server runs (on first connect and periodically afterwards) through pre-configured discovery jobs to catch configuration changes.
 

covacat

Daemon

Reaction score: 795
Messages: 1,454

checkout easyrsa for future dealing with certificates. also make sure your crl wont expire to soon
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 13,964
Messages: 40,708

it's agent also works in both directions (active vs passive checks) and natively supports authentication and TLS encryption.
Also don't forget about Zabbix proxy, which is quite useful when monitoring a remote location.
 
Top