Access IPMI Remotely?


ramblinreck47

Recommended Posts

I’ve been really interested in IPMI after I’ve spent sometime reading up on all that you can do with it and how it can be integrated with UnRAID. The issue I’m having is how I would make sure it’s secure and not a major liability for home network using what I already have. 

Background: 
I have a simple WiFi router from the cable company and the only network changes I’ve made over the last year or so was just to forward a port for Plex and one for OpenVPN (both setup as Dockers on my UnRAID server). Soon, I will have the opportunity to build a new server exactly the way I want it and IPMI has me intrigued. I am starting a new job that will require me to travel considerably more than I am now. I want to be able to make changes and boot remotely. OpenVPN on the server itself is nice and gives me a chance to make changes once the array is started but it would be completely useless for me if the server were to have trouble booting and I couldn’t view what was going wrong. IPMI would help solve this issue. 

In all my reading about IPMI, it has been very apparent that you shouldn’t ever expose IPMI outside your network. I’ve been trying to go over in my head how I could make sure that my network is relatively secured and still access IPMI while I’m away on work. I’ve tried to get a better understanding of VLAN’s and different subnets but I’m not sure I could do any of this with the router that I have. Would any of these scenarios be viable for me with the equipment I have (or can easily obtain)? 

Scenario #1: Turn my old Dell Optiplex into a pfesense router and replace the cheap WiFi I have from the cable company. I could then install OpenVPN through pfsense and access the network that way. I don’t know what settings I would have to do in the server BIOS to ensure that the IP address for IPMI is somewhat safe. 

Scenario #2: Install the Wireguard plugin on my UnRAID server and replace OpenVPN. This would allow me to at least allow me to see my server immediately after it boots and wouldn’t have to worry about Dockers loading before I could VPN in (I don’t want to have to change my array to Autostart on boot). If the server doesn’t boot properly, this scenario isn’t going to be useful. 

Scenario #3: Scenario #1 plus a managed switch where I could fully structure out a management VLAN for the IPMI port. I have almost no idea how to do this so I want to avoid this at all cost unless I can get step by step instructions. 

Is there something easier that I’m missing or does anyone have any instructions on how to make this processor at least a little safer without costing me a lot of money?

Link to comment

This is just my opinion and I am not a network security expert but I think for a home server you would be fine with scenario #1 and set a secure high strength for IPMI access. I use OpenVPN and a bare metal pfSense installation for all my remote access. The managed switch is probably only necessary if you want to setup custom docker networks, IoT networks, guest networks, etc. and can be added later if you chose to.

 

If this server will be some sort of critical business server you should hire a specialist to design and maintain your network.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.