Hey guys,
I’m network guy.
I have a problem that needs some input and ideas. I have a couple of linux machines hosted on my company. And I have devs from outside that needs access to these said machines.
Not very much pro in the linux area, still learning.
So any ideas on how I can implement this? Perhaps a VPN access?
I would use Tailscale.
as others have said tailscale, it even has session recording for SSH on paid plans
https://tailscale.com/kb/1246/tailscale-ssh-session-recording
Just throwing Apache Guacamole into the mix.
Besides, basic SSH with pubkey auth would also work. Alternatively, the common ones like OpenVPN and WireGuard.
As they are not that mature yet, a web UI to login to may be the best option. So check out Guacamole. Also supports access logs and video captures. Can be combined with SSO.
Optimal soln depends on what they need access to on those machines… Specific services only? A desktop? Shell? File browser?
I’d use WireGuard to let them connect, and get access to ssh and private services.
Then I would self-host Exceed TurboX if they needed a virtual desktop. I tried many other solutions but this was outstandingly better.
I would actively discourage or block staff from having company code and data on their laptops at all. It’s a totally avoidable security issue.
Tailscale but probably zerotier for more enterprise things.
just SSH is fine, wireguard or openvpn as options.
I would use https://github.com/hoophq/hoop
I’ve set up WireGuard openvpn and tailscale with headsale servers all for private vpn access. Tailscale and headscale is imho the easiest being you can set up headscale in docker with something like portainer managing it. That will give you some nice guis to work with.
Was going to suggest this.
They just need shell access.
Preferably with logs on what they modify.
They are out of my network, so I don’t think they can reach it from outside our network
I’d probably just stick with what’s been tried and tested for decades and just open up SSH access from their company IPs then.
sshpiper seems just what the doctor ordered if you need logging and pointing different users to different hosts etc. GL.
It also means they have no need to bring new tooling into their environment which is always appreciated.
Also - add cert based authentication - no password accepted, only certificates. Pretty much crack proof
just told the most common options, adapt them to your setup including firewalling