Keith Edmunds wrote:
Install OpenVPN on each end and secure it with X.509 certificates (not too hard to do, and good documentation on the OpenVPN website). Firewall the black box to only allow remote incoming access via the VPN. Now only PCs with a valid certificate will be able to connect to the black box.
Thanks, I'll look at that. I played with OpenVPN some time ago but I would think it's moved on a bit now (or at least hopefully the docs have!)
Presumably I'll be able to do all this whilst leaving the LAN connection open as at present?
If the laptop user has root access to either the laptop or the black box, they'd be able to set up another laptop to access the black box (assuming sufficient skill), but it would not be possible to prevent that (so don't give them root access).
Limiting to specific MAC addresses would help (albeit not hard to spoof a MAC address).