What is the recommended setup for IPMI over Internet?

[Thomas H]

My current configuration looks like this:

• System: Host---hypervisor---VMs (pfSense, etc.)
• Network: Internet---modem---pfSense---LAN

I have upgraded the system to a Supermicro X10SLM+-LN4F with a dedicated IPMI. The system is remotely managed system and I would like to use IPMI over Internet when the system goes down. For this, I plan on using a low power Netgate SG-1000 pfSense box and secure it with OpenVPN on the dedicated IPMI port. So now I have two networks:

1. Dedicated IPMI: Internet---modem---(Netgate SG-1000) pfSense---IPMI
2. Network: Internet #2???---modem---(VM) pfSense---LAN

Do I have to have two Internet services for this to work? Or is there another configuration that allows me to remotely manage with just one Internet connection for both?

 

[gigatexal]

last time i asked about this i was told it was a bad bad idea but i'd be keen to see what people say

 

[PigLover]

Exposing IPMI directly over an internet connection: very, very dangerous.

Accessing it via a VPN protected tunnel behind a good firewall: not safe, but much less risky.

You should be able to use a single pfSense instance as your network access firewall and put the IPMI port onto a separate VLAN, then expose it to your remote site over OpenVPN.

I get more itchy about running the firewall on a VM. If you're going to have a physical pfSense instance anyway then just use it as your single Internet gateway device. Up to about 100mbps the SG-1000 should suffice.

 

[Blinky 42]

You shouldn't need a 2nd internet connection, but a 2nd (ideally static) IP will be helpful so you can access the IPMI tunnel independent of everything else. I have used small/cheap EdgeRouter boxes before for that in addition to ebay sourced 1U (or smaller) servers.

Do NOT put the IPMI ports directly on the internet unless you want to invite hackers to take over your system for some reason.

 

[Jon Massey]

I've used edgerouter lites with OpenVPN clients running on them to secure connections to remote boxes with IPMI. So long as you're set up right with OpenVPN then it's plenty secure enough imho.

Sent from my A0001 using Tapatalk

 

[Rhinox]

Exposing IPMI directly to internet is definitely bad idea (although most boards allow to set up at least IP-filtering). Using vpn/firewall is highly recommended! I described my solution here, since then modified it a little (now I'm using power-splitter and mikrotik has its own psu)...

 

[casperghst42]

1) Make sure than no one can get access to the network with out a VPN client, and that they only can get access to unprivileged information (ie. just access)

2) The only thing they should be able to get to is a terminal server or equivalent, for mail, etc.

3) From the terminal server they can start an vpn client which will allow them to access the admin network, which then allow them contact the IPMI part of the server

That is how some paranoid people do it, well I left one thing out.

4) The only way to be allowed to start the VPN client is controlled with tools like CyberArk- or NetIQ Privileged Account Manager ... but that is for the paranoid....

But in general the best way to do this is via a jumping server which you only can access via VPN, and that server can't without a VPN client connect to the admin network ...

 

[BLinux]

I think VPN is the way to go in general, for access to the IPMI. There are many things you can do around that to make it harder for the bad guys to gain access; bastion hosts, port-knocking to open the VPN port, various network segmentation schemas, etc, etc... but to me, the most important thing to do is secure how you auth the VPN connection. If you're authing the VPN with a simple password, that is probably not good enough. If you're using certs + password, better. However, I would really recommend some sort of "real" MFA, not the "i'll email or text you a code" type of MFA; the later is one of the dumbest ideas for security in my opinion. These days, it's not too hard to setup something to work with Google Authenticator and that might be the first thing you try out. A long time ago, I had a "professional/lab" license for RSA SecurID and used their tokens; but that's rather a hassle. The other thing you can try is a challenge-response setup with Yubikey.

figure out how you're going to secure the VPN auth first, then take into account all the other suggestions above too.

 

[azev]

you want to use some kind of appliance for the vpn to ensure it will stay up even when the server is down. Most ppl need access to IPMI as last resort when the system crashed or something. I personally have used a very simple ACL on routers or switches to protect IPMI addresses in my colo and it seems to work fine.

 

[ullbeking]

One option that I know a lot of people do is to completely disable IPMI on remote machines.

But for those who actually need it, I guess there's no way around having a dedicated hardware firewall, eh?

Actually, now I come to think of it, this is pretty much the one useful use case of doing that thing where you have an inbound VPN connection to your main network originating from a hardened satelliate bastion node.

 

[balnazzar]

Apologies for resurrecting this thread. I actually don't understand half of what you recommend, but as a matter of fact I'd need to access my IPMI over the internet.

Now, as a starting point, I understand I have to set up a VPN. How do I do it? I think I need some device which acts as a VPN server, right? I thought about a RaspberryPI, but you mention PfSense and Mikrotik dedicated devices. Do they serve the same function?
Furthermore, why do I need a firewall since there is already the VPN which forbids other people from getting access to the IPMI?

If you would be so kind to link a guide/tutorial for such stuff, it would be greatly appreciated, Thanks!!

 

[gigatexal]

Apologies for resurrecting this thread. I actually don't understand half of what you recommend, but as a matter of fact I'd need to access my IPMI over the internet.

Now, as a starting point, I understand I have to set up a VPN. How do I do it? I think I need some device which acts as a VPN server, right? I thought about a RaspberryPI, but you mention PfSense and Mikrotik dedicated devices. Do they serve the same function?
Furthermore, why do I need a firewall since there is already the VPN which forbids other people from getting access to the IPMI?

If you would be so kind to link a guide/tutorial for such stuff, it would be greatly appreciated, Thanks!!

I would do this with wireguard. I don’t have a step by step tutorial but I would lock down access to your ipmi setup in a firewall and then use wire guard to create a connection to the home pan and connect that way.

 

[balnazzar]

I would do this with wireguard. I don’t have a step by step tutorial but I would lock down access to your ipmi setup in a firewall and then use wire guard to create a connection to the home pan and connect that way.

Thanks for your reply. I happen to have an old mac mini I use as a media player that I can leave always on without significant impact over the electricity bill.
I'll try and configure wireguard on MacOS, but should I fail, there is always the built-in Osx vpn server.

May I ask why you suggested wireguard specifically? Does it provide additional security features over other vpn server whatsoever?

Thanks!

 

[gigatexal]

Thanks for your reply. I happen to have an old mac mini I use as a media player that I can leave always on without significant impact over the electricity bill.
I'll try and configure wireguard on MacOS, but should I fail, there is always the built-in Osx vpn server.

May I ask why you suggested wireguard specifically? Does it provide additional security features over other vpn server whatsoever?

Thanks!

I hear it’s faster and easier to setup

 

[acquacow]

I just use dynamic dns and an ssh tunnel.

 

[balnazzar]

I just use dynamic dns and an ssh tunnel.

May you elaborate? I know what a ssh tunnel is and how to set it up.. I just don't catch how to use it in our context..

 

[JoshDi]

May you elaborate? I know what a ssh tunnel is and how to set it up.. I just don't catch how to use it in our context..

Setup SSH Tunnel or VPN. Connect to SSH tunnel or VPN and then use it to access your IPMI page.

 

[acquacow]

Also, if you have a linux laptop, or linux VM with X installed, you can use sshuttle from the console to your ssh endpoint and it basically sets up a VPN over ssh with iptables for you. Then you can use the browser within your linux VM to pull up all the IPMI endpoints.

I personally have a windows VM and a linux VM running 24x7 on my freenas box at home. I ssh into a freenas jail, then port forward my RDP port and VNC port from my windows and linux VMs through my session.

 

[balnazzar]

Setup SSH Tunnel or VPN. Connect to SSH tunnel or VPN and then use it to access your IPMI page.

If I am not misunderstanding, you are assuming one has a machine acting as a server. For a moment I was under the impression that the IPMI/BMC itself could provide the means for acting as a ssh server, thus avoiding to set up a dedicated machine.

 

[balnazzar]

Also, if you have a linux laptop, or linux VM with X installed, you can use sshuttle from the console to your ssh endpoint and it basically sets up a VPN over ssh with iptables for you. Then you can use the browser within your linux VM to pull up all the IPMI endpoints.

I personally have a windows VM and a linux VM running 24x7 on my freenas box at home. I ssh into a freenas jail, then port forward my RDP port and VNC port from my windows and linux VMs through my session.

This is quite interesting, since I read on their webpage:

"Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling."

Two questions:

1. What do you use for hosting your VMs upon the FreeNAS?

2. What is the windows VM for (in our context)?

EDIT:
3. Is sshuttle secure enough?

Thanks!!