Questions about site to site VPNs vs reverse SSH tunnels

Hello, I am not really a network engineer or sysadmin, but still managing most of the servers and network equipment at the small company I work at. We currently have 30-40 customers (some abroad) where each customer has one or a few servers that we own that most often are located on the customer network or in some cases uses a 4G network connection which we provide. We need access to these servers and until now we’ve used reverse SSH tunnels to gain access. So many of our servers are behind a customer firewall which only allows outgoing traffic towards one central SSH server which is accessible by us.

As we are expanding (hopefully increase our remote sites by a couple of times in the near future) we would like to transition to a more stable solution like VPN so that we don’t have to create tunnels all over the place to get the work done. The goal is to have an easy way to directly access the individual servers from a central network. The sites don’t need access to each other.

So to my questions; what is the preferred way to connect sites like these together, site to site VPNs with IPSec or OpenVPN? Stay with the current reverse SSH tunneling system? Which way is best for scalability? I guess that we need to deploy firewalls at each site, any recommendations?

We currently use a WatchGuard T30 firewall in front of the central SSH server which can manage up to 40 IPSec site to site VPNs so we probably have to upgrade that one as well if we’re going with the VPN route.


Maintaining that many VPN’s might cause a some issues as your company scales up these deployments. There are solutions such as Zerotier that might work better for this

1 Like

might be worth looking at an RMM tool that also provides remote access for the OS you are running. You could then keep a much closer eye on the servers without having to do any more work, possibly add this to your line up as a billable extra (unless your current offering is all in).

I’m new to RMM and am wishing I started using it years ago. Yes the per device per month cost bugs me a little bit but it’s sooooo worth it.

1 Like

Thanks Tom, looks like there’s quite interesting stuff under the hood of Nebula! I didn’t mention it in the post but we also have a switch that connects a few other minor network appliances that the server communicates with which cannot run applications such as Nebula. So to access them we still need to use SSH forwarding or SOCKS proxies correct? Do you know if there are similar solutions like Nebula that a firewall can run and thus make the firewalls subnet a part of a larger network?

If not, this might be a quite nice solution!

Thanks, do you know if RMM tools can connect servers together? For example a central monitoring or data scraping server that needs a direct TCP connection to the remote site.

Edit: We would prefer to use a cheap or a self-hosted open source alternative, so all expensive monthly subscription-based solutions might unfortunately not be an alternative right now…

If some of the devices can not run the a tool such as Nebula or ZeroTier then a VPN is probably the best option.

I don’t have an exhaustive knowledge but I would suspect not. If you need your server at your site to connect to your server at their site to run checks then an RMM isn’t going to work. It would give you lots of useful information and a remote console though and the ability to run scripts remotely etc.

They are however almost all going to be a price per server per month subscription so don’t fit with the self hosted. I would still give it some serious consideration though, I was also of the “I can do this myself for free, I’m FOSS Man” (most boring super hero ever…) mindset until recently and wish I had gone for an RMM solution years ago now.

Sounds like pfSense + OpenVPN at your end and either a pfSense box (for multiple devices or ones that can’t have the client installed) or the OpenVPN client at the other. You could then look at something like Ansible to automate your monitoring