|
|
Hello, Summary: I have several hundred servers to need to talk directly with each other in an encrypted manner. Basically a mesh VPN network, but I have been on this mailing list long enough to know that is not currently supported. So, I am thinking of making a pseudo-mesh where each server has one real IP address and one virtual IP address. When a server wants to talk with another securely, it will simply route to the virtual IP address. Details: I have an environment with several hundred Solaris, Linux, and Windows servers. We need to encrypt all traffic between the servers. It seems like a job for IPsec, but: a) All the servers are of varying age, and cross-platform IPsec compatibilities would be a nightmare. b) I am much more familiar with OpenVPN. The question is: Is OpenVPN the right tool for the job? Although we have several hundred servers, each one only talks to a handful of other servers, and those relationships (peers) are relatively well documented. A critical requirement is that each server only talks with its authorized peers. Probably 95% of any given servers' peers will be in the same data center. A centralized OpenVPN server (star-topology) would probably not work as each server passes a huge amount of traffic. I am envisioning a pseudo-mesh architecture. Recipe for a Pseudo-Mesh Architecture: Each server will have OpenVPN, a unique SSL certificate, and a static addresses in the virtual network registered as a second entry in the DNS (example: ServerA.example.com and ServerA-secure.example.com). Suppose ServerA and ServerB are peers. The OpenVPN client on ServerA makes a connection to the OpenVPN server on ServerB. The OpenVPN server uses the "--ccd-exclusive" command to verify that the connecting client has a "--client-config-dir" file. Only authorized peers will have that file. (Maybe "--tls-remote" would be better for client authentication?) The tunnel is created, and both ServerA and ServerB now have virtual IP addresses that match their DNS records for ServerA-secure.example.com and ServerB-secure.example.com. (Would the best method to manage this be to push it from the server, or have each client dictate its own address?) Now an application on ServerA can be configured to talk with ServerB-secure when it needs encryption. ServerA will look up "ServerB-secure.example.com", find that virtual IP address, and the packets will be routed down the tunnel. Now multiply that by a couple hundred. Am I crazy? Is there a better solution? A possible problem: Suppose ServerA has four OpenVPN processes for its four peer connections. Can those four OpenVPNs share the same virtual IP address, or would each require its own TUN device and unique IP address? Thanks, Ken Gallo ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-07/msg00052.html on line 236 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-07/msg00052.html on line 236 |