Could/should OpenBMC include a VPN?

[Demi Marie Obenour]

Exposing a BMC to the public Internet is never recommended.  However,
putting the BMC behind a VPN can create a chicken-and-egg problem
if one only has one server in a colocation facility.  In this case,
the only device that can run a VPN is the server being managed,
but if it goes down, one needs the BMC to fix it!

Could this be solved by running WireGuard on the BMC itself?  This
would require configuring a WireGuard interface and configuring all
other services (except DHCP) to only accept traffic on that interface.
Since WireGuard *is* safe to expose to the public Internet, this
would provide almost the same protection as an external VPN without
the drawbacks.

The only remaining limitations I can think of are:

1. The DHCP client and kernel network stack are exposed.
2. An attacker might try to flood the BMC with more traffic than it
   can handle.

Are these unacceptable risks?  An attack on the kernel network stack
is likely a disaster for almost everyone, so I'm not too worried
about this.  Hyperscalers have a huge interest in making sure this
doesn't happen.  Many DHCP clients with decent track records exist,
and a traffic flood is denial of service only.  I could see the risk
of a traffic flood being less than that of a VPN appliance failure,
especially if the colocation facility offers DDoS protection.

Would including WireGuard in OpenBMC make sense?
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xB288B55FFF9C22C1.asc
Type: application/pgp-keys
Size: 7140 bytes
Desc: OpenPGP public key
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20260205/1f74c475/attachment.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20260205/1f74c475/attachment.sig>