0

I have SBCs with Debian. These SBCs will send data to server (using e.g. REST), but I want to secure the connection using some VPN/tunnel and I want also to be able to remote access the SBCs for maintenance.

Now I want to set some VPN Server, which doesn't require client-specific settings (on the server side nor on the client side). I will have an complete Debian image for these SBC (which will be simply loaded using bootloader) so it will be same on each SBC. Also I don't want that anyone has to edit some setting on the server side, when new SBC is produced and connected.
Each SBC has unique hostname (from serial number).

Is there any option to achieve this? What I searched:

OpenVPN
It should be possible to achieve it. Only disadvantage is, that OVPN use CN in client certificate to identify them. So all clients will look the same on the VPN server.

SoftEth VPN
Each client need unique username.

Wireguard
Clients (peers) must be specified on server side.

SSH
I must specify port for each client.

Daniel
  • 1
  • 1

1 Answers1

1

Client has to have a specific identification setting for the VPN to be secure. For that, each client has to have its own, unique secret. In WireGuard that's its private key; in OpenVPN that's private key of the client certificate and so on.

If you fail to make it this way, all clients will have to use the same secret, and a compromise of any client immediately means a compromise of a whole VPN; to fix, it will require update of every deployed client, and a server.

So, what you ask is unreasonable.

Instead of refusing any per-client setting, automate those settings. You can make script that generates keys and CSRs, then sends it to the CA to sign, obtains certs and installs it; this script can run on your SBC the first startup and then disable itself after successful finish. Or, for WireGuard, the similar script is possible.

Remember, Ansible is your friend.

Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45