Score:0

Dynamic IP address whitelisting for regular data transfers back home while travelling

fr flag

I will be going on a 100 day (global) tour where we will be generating 1TB of video data per day. To mitigate risk of data loss we plan to drop one copy of hard disks with local volunteers in each country en route, who will upload the data from their home connections back to our server.

We don't want to open up the server to the whole world, and would like to restrict access to just those IPs that are uploading data to us, but the volunteers will mostly have dynamic IP addresses. How do we do this?

We are making a small application that will manage the data transfers, so we can do some custom logic in that.

EDIT: I just found out about Dynamic DNS services (like noip.com). Would it be fair to assume that most people's home routers would support DDNS configuration? Our infra person says that thay can configure our firewall whitelist to be based on this instead of IPs). This sounds like a simple, secure solution. Any thoughts?

cn flag
Bob
The more common business solution: run a vpn server as the only public service on your server. An alternative is port knocking as an extra security feature https://en.m.wikipedia.org/wiki/Port_knocking
fr flag
@Bob port knocking - that sounds like a great option... don't know if fortinet supports it though
cn flag
Bob
Regarding your edit: Many products that allow entering trusted sources by their FQDN rather than IP-address do a DNS lookup once, when the list with hostnames is loaded and then internally continue to use the resulting IP-address. That may have unexpected results when the trusted sources are DDNS records with frequently changing IP-addresses... `ddns.example.org` is listed as trusted, but effectively only the old ip-address is trusted and not the current on.
Score:1
cn flag

As @Bob says, the best way is to run a VPN server and have them use that.

But, another slightly creative way to do it would be to use something like AWS Lambda & API Gateway. Set up a Lambda to take the HTTP callers IP, and write it to an SQS queue. Then have something on the server that consumes that queue and updates the firewall. Protect the Lambda with an API key in API Gateway. Give the volunteers a script/program to run on a USB stick, they run the program, it triggers the update, then waits a bit and logs them in to the server.

That's all quite involved though, so fine if you're happy getting deep into the tech on this, but if you want something simple just set up OpenVPN/Wireguard on your server on a random port!

fr flag
That's exactly what I was thinking! But then I thought there might be a simpler way. Going through a VPN will reduce the speed (we need absolute maximum throughput possible) - and the data will be pre-encrypted so no in-transit security issues. What about Dynamic DNS config?
cn flag
Dynamic DNS would work for talking TO the server - I use that to update a subdomain for my own network, as my home IP sometimes changes from my ISP. Not sure it'll work for the clients though. WireGuard should be faster than VPN, so could be a good option.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.