Secure connection to the server via ipmi

[Nico052020]

Hello everyone,
I'm here to ask for advice about possible solutions to connect to the IPMI (2.0) interface of my server remotely and safely.

I have a NAS running with Truenas. I will soon need to manage / monitor my nas remotely.

Can the ipmi interface be accessed directly and securely?
If yes how?

If not, is there another way to connect to the ipmi in a secure way?

Regards

 

[Patrick M. Hausen]

This depends on the kind of IPMI firmware. Most (all I ever saw) have a HTTP/HTTPS browser UI. Some have SSH. All have of course IPMI and you can use for example ipmitool on your desktop as one option for tooling.

As for the "secure" and "remote" parts - IPMI does not care about that and I would advise against exposing it to the Internet.

Set up a VPN with your Internet router and connect via one of the methods I listed.

HTH,
Patrick

 

[Arwen]

Their have been times when I have had to work around firewall rules, even internal to a company.

For example, I would be able to SSH into the server side, but not be able to access the IPMI / BMC / etc... So, I find a server on the same sub-net as the IPMI and use SSH forwarding / tunneling. I then make the connection though the SSH tunnel. It is a bit tricky to setup and use, each case is different.

For your case, exposing a SSH connection would be less risky. But, their have been SSH exploits so using a different instance of SSH with different "sshd_config" can help. Specifically forcing that SSH connection to only allow key based logins, no password logins. Then generate a 4K or 8K RSA key and use that for logins.

 

[Patrick M. Hausen]

For example, I would be able to SSH into the server side, but not be able to access the IPMI / BMC / etc... So, I find a server on the same sub-net as the IPMI and use SSH forwarding / tunneling. I then make the connection though the SSH tunnel. It is a bit tricky to setup and use, each case is different.

Poor person's VPN

 

[Rosin0416]

Hello,
First of all, thank you for your feedback.
I regularly use IPMI on my internal network through my internet browser (https).

In my case, it is a home installation.
The router is provided by my ISP and does not have a VPN service.
Moreover, I don't have any dedicated equipment (e.g. Raspberry) to set up a VPN.
On the other hand, there will be a windows client (laptop) within the local network that can be used.

Normally, if I need to intervene on the server, there will be a person on site who will be able to activate / deactivate the port forwarding in the router administration interface.
So IPMI will not be constantly exposed to the internet. But well, if the person forgets to deactivate, I prefer to anticipate and ensure the security of the connection.
Hence my post.

I searched the ipmi interface, but I couldn't find a built-in VPN service.

For your case, exposing a SSH connection would be less risky. But, their have been SSH exploits so using a different instance of SSH with different "sshd_config" can help. Specifically forcing that SSH connection to only allow key based logins, no password logins. Then generate a 4K or 8K RSA key and use that for logins.

It seems complicated to me. Is the setting done in the IPMI interface?

sorry I'm a bit new to this

 

[danb35]

I searched the ipmi interface, but I couldn't find a built-in VPN service.

No, AFAIK none of the IPMI implementations contain a VPN server--that's something you'd set up elsewhere, ideally on your router. Another possible way to do it (which would also handle TLS termination) would be a reverse proxy with strong authentication mechanisms.

 

[Rosin0416]

In fact, if there is no service integrated to IPMI, I'm more in favor of making a VPN connection (Wireguard, which I know a little)
Is it possible to put it from the client computer, in order to access the IPMI address of the server?

 

[Rosin0416]

Poor person's VPN

Why ?

 

[Patrick M. Hausen]

With SSH port forwarding you can reach a variety of services in a remote network as long as they are TCP based. Similar to what a VPN does.

 

[Nico052020]

Hello,
I use the ipmitools software.
I like the solution of using a VPN + https or java console

My router does not have a VPN built in. I have a PC that I don't use. I am able to configure a VPN link through this PC, but I don't know how to access the IPMI address afterwards. I am missing a link.
Can you help me with this?

 

[danb35]

I am able to configure a VPN link through this PC, but I don't know how to access the IPMI address afterwards.

Once you're connected to that VPN, you should be able to reach the IPMI interface in the same way as you do when you're on the LAN--that's the point of a VPN.

 

[Nico052020]

No, I think I'm missing something.
I just have a tunnel that goes from a client station to a client station and that's it.

 

[Patrick M. Hausen]

If your local network is e.g. 192.168.0.0/24 then the point of a VPN (in most cases) is to give the external authenticated client access to the entire 192.168.0.0/24 network. Figure out how to do that with your VPN technology of choice.

There are many more alternatives. I am rather fond of Apache Guacamole. That gives you a remote desktop session to a local Windows system in a browser and is reasonably secure. On that local Windows system you could then run whatever IPMI software you feel like using.

I run Guacamole in a jail on my TrueNAS, so of course if I need the IPMI to troubleshoot the TrueNAS that is probably not going to work.

Guacamole can also present SSH and telnet sessions after proper authentication via HTTPS, so possibly that on a small Linux system (Raspberry Pi or similar) fits your bill.

It's like those enterprise "SSL VPN" products by Cisco et al. only that it is open source and actually works.

 

[Nico052020]

Hello,

Here is the configuration I made

Router :
public ip: xx.xx.xx.xx
internal router ip : 192.168.0.1/24

PC 1 (physically present in the local network)
ip local network : 192.168.0.30
ip within the vpn tunnel : 10.0.0.1
Listening port: 50000

IPMI interface of the nas
ip local network : 192.168.0.40
=> normally accessible by https://192.168.0.40 in the local network

PC 2 outside the local network
ip within the vpn tunnel : 10.0.0.2


Port forwarding done at the router:
external port 50000
internal port 50000
redirection ip : 192.168.0.30


What do I put in my internet browser (PC 2 ) when I am outside ?
Isn't there another manipulation to do to access the ipmi (192.168.0.40) ?

 

[Patrick M. Hausen]

You need to tell your VPN setup that the entire 192.168.0.0/24 network is "at the other end" of that tunnel. How that is done depends on the VPN product used. What exactly are you using?

Probably you also need a static route for the 10.0.0.0/? network in your router. If the router cannot be configured with manual static routes the PC that serves as a VPN server needs to NAT your client outside to its own 192.168.0.30 address.

Once that is configured correctly you use the same URL as when at home to access IPMI. https://192.168.0.40

 

[Nico052020]

Hello,
It reassures me to know that the configuration is not complete.
I also use Wireguard. I find it easy to configure.
I specify that PC 1 (the one that acts as a gateway within the local network) runs Windows.

What is the next step please?

 

[Whattteva]

What you need to do:

• Wireguard on PC2 needs to be told to route traffic for 192.168.0.0/24. This probably would translate to this line AllowedIPs = 10.0.0.0/24, 192.168.0.0/24
• PC1 needs to be configured for IP forwarding. On Windows, this is done through the Registry Editor. You can follow the instructions here.

 

[Nico052020]

hello

PC1 needs to be configured for IP forwarding. On Windows, this is done through the Registry Editor. You can follow the instructions here.

indeed, this must be the link I was missing

AllowedIPs = 10.0.0.0/24, 192.168.0.0/24

If I understand this line correctly, we allow all IP addresses (254 machines) of the 10.0.0.0 network and all IP addresses (254 machines) of the 192.168.0.0 network to connect to PC2 (the one outside the local network).

Excuse my ignorance of the subject:
Shouldn't we just allow 10.0.0.1/32 and 192.168.0.40/32?
Why allow both subnets 10.0.0.x and 192.168.0.x. Indeed, even if the traffic is redirected via PC1 (physically in the local network), isn't it only 10.0.0.1 that connects to PC2 (the one outside)? Why add 192.168.0.x ?

Regards

 

[Whattteva]

Excuse my ignorance of the subject:
Shouldn't we just allow 10.0.0.1/32 and 192.168.0.40/32?
Why allow both subnets 10.0.0.x and 192.168.0.x. Indeed, even if the traffic is redirected via PC1 (physically in the local network), isn't it only 10.0.0.1 that connects to PC2 (the one outside)? Why add 192.168.0.x ?

Because you are basically telling Wireguard kernel that it should handle any traffic destined to the 10.0.0.0/24 and 192.168.0.0/24 networks. If you only do 192.168.0.40/32, then it will drop traffic going to say... your router at 192.168.0.1 because it's only told to forward packets going to 192.168.0.40 and that's it.

I suppose you may only need to specify 10.0.0.1/32 if you don't care about communicating to other Wireguard clients, but if you want to access your entire home LAN, you have to allow the whole 192.168.0.0/24.

 

[Nico052020]

Because you are basically telling Wireguard kernel that it should handle any traffic destined to the 10.0.0.0/24 and 192.168.0.0/24 networks. If you only do 192.168.0.40/32, then it will drop traffic going to say... your router at 192.168.0.1 because it's only told to forward packets going to 192.168.0.40 and that's it.

sorry, with the automatic translation, I think I misunderstood what you meant.
I think I must have a bad reasoning scheme of how wireguard and subnets work that prevents me from understanding the whole process.

I suppose you may only need to specify 10.0.0.1/32 if you don't care about communicating to other Wireguard clients, but if you want to access your entire home LAN, you have to allow the whole 192.168.0.0/24.

I don't want to have access to my entire local network. I only want to access the server's ipmi interface and be able to open a kvm or java console.
This is a single connection between my PC2 (outside the local network) to the server's IPMI interface via PC1 (in the local network). There are no other client (PC1 and PC2).