In this second part of my homelab series I will tell you about the software configurations used to remote access my lab and features like remote power toggle and remote console access.
Features and software used are Palo Alto Global Protect (Client VPN), Apache Guacamole, ser2net, and one cURL call for controlling the Philips Hue power socket.
You can read the first part about the hardware setup here.
Palo Alto Global Protect
My Palo Alto PA-220 functions as both Global Protect Portal and external Global Protect Gateway. Authentication is against the local user database.
Nothing special here, so if you want to know more you can have a look at the Palo Alto Knowledge Base.
ser2net
ser2net (serial to net) is a nice little software which allows you to publish a serial device over telnet. Configuration is rather simple and all described in the default config file /etc/ser2net.conf after installation. You find ser2net in the package manager of your distro. After connecting a new serial device (like when plugging in the usb cable to the switch) you can easily find the device name with "dmesg | grep tty"
Below is my fairly simple config file but hey, it gets the job done.
3000:telnet:600:/dev/ttyACM0:9600 8DATABITS NONE 1STOPBIT banner
3001:telnet:600:/dev/ttyACM1:9600 8DATABITS NONE 1STOPBIT banner
3002:telnet:600:/dev/ttyACM2:9600 8DATABITS NONE 1STOPBIT banner
3003:telnet:600:/dev/ttyACM3:9600 8DATABITS NONE 1STOPBIT banner
3004:telnet:600:/dev/ttyUSB0:9600 8DATABITS NONE 1STOPBIT banner
3005:telnet:600:/dev/ttyUSB1:9600 8DATABITS NONE 1STOPBIT banner
3001:telnet:600:/dev/ttyACM1:9600 8DATABITS NONE 1STOPBIT banner
3002:telnet:600:/dev/ttyACM2:9600 8DATABITS NONE 1STOPBIT banner
3003:telnet:600:/dev/ttyACM3:9600 8DATABITS NONE 1STOPBIT banner
3004:telnet:600:/dev/ttyUSB0:9600 8DATABITS NONE 1STOPBIT banner
3005:telnet:600:/dev/ttyUSB1:9600 8DATABITS NONE 1STOPBIT banner
power toggle via Philips Hue
What most people don't know is, that your Philips Hue Bridge comes with a little API client at http://<IP OF YOUR BRIDGE>/debug/clip.html
All API calls need to be authenticated. You can generate an access key following the Philips MeetHue API documentation here.
In my lab environment I have two PDUs. One for the "always on" equipment and on for the "on demand" equipment. To toggle the second PDU I use a Zigbee Socket (Light ID 7 in my case) connected to my Hue bridge. From an API perspective it is something I can turn on or off, so I wrote two simple scripts for that.
!/bin/bash
echo "Power ON demo lab?"
select yn in "Yes" "No"; do
case $yn in
Yes ) curl -X PUT --data '{"on":true}' --url 10.10.1.23/api/SECRETAPIKEY/lights/7/state; break;;
No ) exit;;
esac
done
and
echo "Power ON demo lab?"
select yn in "Yes" "No"; do
case $yn in
Yes ) curl -X PUT --data '{"on":true}' --url 10.10.1.23/api/SECRETAPIKEY/lights/7/state; break;;
No ) exit;;
esac
done
and
#!/bin/bash
echo "Power OFF demo lab?"
select yn in "Yes" "No"; do
case $yn in
Yes ) curl -X PUT --data '{"on":false}' --url 10.10.1.23/api/SECRETAPIKEY/lights/7/state; break;;
No ) exit;;
esac
done
echo "Power OFF demo lab?"
select yn in "Yes" "No"; do
case $yn in
Yes ) curl -X PUT --data '{"on":false}' --url 10.10.1.23/api/SECRETAPIKEY/lights/7/state; break;;
No ) exit;;
esac
done
These simple scripts ask if you really want to do the desired action and if yes, proceed to make the API call. I use these scripts in Guacamole.
Apache Guacamole
Apache Guacamole is a web application written in Java to get SSH, Telnet, RDP or VNC sessions in your browser. I use it for convenience to have a single front-end for accessing my demo environment.
I have installed and configured Guacamole with MariaDB support for storing settings and with the "auth-header" extension to enable single sign on with a HTTP Header. The HTTP Header gets inserted by the Palo Alto firewall, which knows my User-ID trough the use of Global Protect.
Above you can see the connections I have created. Here comes everything together. The console connections which are exposed trough ser2net are used in Guacamole as telnet connections with "localhost" and the corresponding ports. The two scripts to toggle the PDU are also included in Guacamole. Here I use SSH connections to localhost with the option to execute a specified command (the scripts for power toggle in this case) after login. Guacamole also supports sending a Wake On LAN packet when opening a connection. You only have to specify the MAC address of the device to wake up and this device needs to be connected to the same Layer 2 segment as the host with Guacamole. I use it to start the Intel NUC and my workstation. 
The value "($user)" will insert the current User-ID username as Base64 value into the HTTP call. If no User-ID is known, the firewall will display a captive portal.
Palo Alto - HTTP Header insert
One feature of an "URL Filtering" security profile is to insert an HTTP Header into the traffic. In combination with the "auth-header" extension for Guacamole you can enable a simple single sign on.
The Guacamole extensions per default looks for the header name "REMOTE_USER". Here is a screenshot from my Palo Alto config.
Keep in mind that the HTTP header authentication is only secure, if no user could ever insert this header himself. If you use this, you should route all the Guacamole HTTP traffic trough the Palo Alto.
Since the header is inserted as Base64 encoded, you won't see any human-readable username in Guacamole (see my screenshot above, top right).
But besides that, it works really well and was a nice little use case for testing.
This is the end of part 2. In the next and last part about my homelab setup I will go into detail about my VM environment and the overall topology. Stay tuned!