OpenVPN AS deployment questions

Post Reply
jl1615
OpenVpn Newbie
Posts: 1
Joined: Wed Oct 12, 2011 1:35 am

OpenVPN AS deployment questions

Post by jl1615 » Wed Oct 12, 2011 1:50 am

I'm looking for an SSL-VPN for a small company, and I have a few questions about OpenVPN and OpenVPN AS in particular.

1. I already have the OpenVPN client installed on my Mac (version 1.8.3). Can I install it a second time, or configure a second connection? The one I have is a possibly customized client from a customer, so I probably can't mess around too much with it.

2. I can't quite tell from the documentation, but it appears that the OpenVPN server includes its own CA and uses it to provision client certificates for users when they first connect. Is that roughly right?

3. What's the best place in the network to deploy the server? LAN, existing DMZ, or separate DMZ? Of course, the last is the hardest since it requires new hardware, but we've got ESX/ESXi on both the LAN and existing DMZ, so deploying the VM or building our own is straightforward. What are the security issues with deploying the server on the LAN?

4. What are the security differences between the VM and building a hardened Ubuntu 10.04 LTS, for example? I'm not an expert in this space, but I'm relatively comfortable with routine Linux sysadmin tasks, and have deployed small surface area SELinux machines before. Am I likely to find the VM better or worse than what I could roll easily myself?

5. I am considering OpenVPN as an alternative to the standard appliances (SonicWALL, Juniper, etc.) because it seems to have a reasonable feature set, seems mostly straighforward to manager, clearly handles my basic use case of username/password + client certificates, seems like it could handle OTP if we needed it, and has a built-in CA that simplifies certificate deployment, and essentially has a feature set beyond the SMB appliances and akin to the enterprise-level appliances at a fraction of the cost. Is it reasonable to think that deploying OpenVPN AS, especially as a VM, is really not any harder than deploying an appliance?

John L

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: OpenVPN AS deployment questions

Post by maikcat » Thu Oct 27, 2011 11:18 am

hi there,

first want to clarify that openvpn is SSL based vpn meaning that is uses
virtual tun/tap interface and uses SSL for the security/encryption portion.

it is not the same like F.e watchguard SSL based vpn (using web based interface to
access servers inside your network.

Openvpn AS is the commercial version of openpvn,it uses AFAIK the same binary
as open source,but it gives you easy managment.

in pc version you can have as many configs as you like and you can connect simultaneously
to more than one (virtual adapters required).

openvpn can use newly generated CA but AFAIK you can still use commercial one

if you deploy openvpn in DMZ zone and the needed services reside on dmz then its ok,
but if services is on LAN ,i dont think its good idea

openvpn is an alternative to IPSec and PPtP and my suggestion is to use it (i do!).
i simply install a linux distro (i like centos :) ) and install openvpn on top and works PERFECT!.

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

Post Reply