1

I have few knowledge for network, I need some basic advice.

On my business domain, users is facility manager or system installer. There are not many users and they can have some responsibility for security.

My devices are made by Raspberry Pi that use Web GUI to control. But it is only used when it installed, few hours, no heavy traffic.

I think VPN is enough to handle this with following network description.

  • one WireGuard VPN Interface on AWS EC2 with public IP.
  • All devices connect to one WireGuard VPN Interface.
  • All authentic users connect to one WireGuard VPN Interface.
  • Admin restrict each user's accessing devices by iptables.

Could anybody tell me this is totally bad or suggest good direction?

Edit1: Expected Specification

Mainly, I worry about security.

  • One user can access only to allowed devices.
  • Users cannot access to EC2
  • Users cannot access to other devices.

Is it possible that is configured by one VPN and iptables?

Thanks,

hando han
  • 11
  • 2
  • I am a bit unsure what you want to achieve? Raspberry can certainly be used for VPN (using a Raspberry Pi 4 myself and it have no problem delivering 350 mbps throughput on my 500 mbps Internet connection). – Lasse Michael Mølgaard Nov 01 '22 at 05:00
  • Sorry for ambiguous, I worry about security. I want one user can access only to allowed Raspberry Pi device, not to AWS EC2 and other Raspberry Pi. I have few information VPN and iptables. – hando han Nov 01 '22 at 05:05
  • Normally I would say you could not make iptables rules based on who was logged in, but then I saw parameters like: `m owner --uid-owner ` and figurer it is possible to allow/deny traffic based on whoever is loggede in. Though for simplicity I would create groups instead and create rules depending on which groups the user is assigned to. – Lasse Michael Mølgaard Nov 01 '22 at 05:34
  • I thought using VPN IP address that got when user/device connect to VPN, and iptables allow or block packet between user and devices. Hard to say clearly but I think VPN IP gathering system is possible. Am I missing something? – hando han Nov 01 '22 at 06:12
  • Ok. My confusions stems from which way the expected traffic should flow? Do you want to remotely access all the Raspberry Pis via VPN through the EC2 server and at the same time prevent any users on the individual Raspberry Pis to use the VPN connection to access the EC2 server? In that case the solution is simple. Use iptables on the EC2 server to allow outbound traffic to VPN and related inbound traffic from VPN only and drop all other packages. You will need to add exceptions in iptables for any client, which is allowed to connect to the server. – Lasse Michael Mølgaard Nov 01 '22 at 23:54
  • @LasseMichaelMølgaard Thanks for kind help, even though my confusing asking. I think your answer is right. – hando han Nov 02 '22 at 01:24

0 Answers0