OpenVPN AS deployment questions
Posted: Wed Oct 12, 2011 1:50 am
I'm looking for an SSL-VPN for a small company, and I have a few questions about OpenVPN and OpenVPN AS in particular.
1. I already have the OpenVPN client installed on my Mac (version 1.8.3). Can I install it a second time, or configure a second connection? The one I have is a possibly customized client from a customer, so I probably can't mess around too much with it.
2. I can't quite tell from the documentation, but it appears that the OpenVPN server includes its own CA and uses it to provision client certificates for users when they first connect. Is that roughly right?
3. What's the best place in the network to deploy the server? LAN, existing DMZ, or separate DMZ? Of course, the last is the hardest since it requires new hardware, but we've got ESX/ESXi on both the LAN and existing DMZ, so deploying the VM or building our own is straightforward. What are the security issues with deploying the server on the LAN?
4. What are the security differences between the VM and building a hardened Ubuntu 10.04 LTS, for example? I'm not an expert in this space, but I'm relatively comfortable with routine Linux sysadmin tasks, and have deployed small surface area SELinux machines before. Am I likely to find the VM better or worse than what I could roll easily myself?
5. I am considering OpenVPN as an alternative to the standard appliances (SonicWALL, Juniper, etc.) because it seems to have a reasonable feature set, seems mostly straighforward to manager, clearly handles my basic use case of username/password + client certificates, seems like it could handle OTP if we needed it, and has a built-in CA that simplifies certificate deployment, and essentially has a feature set beyond the SMB appliances and akin to the enterprise-level appliances at a fraction of the cost. Is it reasonable to think that deploying OpenVPN AS, especially as a VM, is really not any harder than deploying an appliance?
John L
1. I already have the OpenVPN client installed on my Mac (version 1.8.3). Can I install it a second time, or configure a second connection? The one I have is a possibly customized client from a customer, so I probably can't mess around too much with it.
2. I can't quite tell from the documentation, but it appears that the OpenVPN server includes its own CA and uses it to provision client certificates for users when they first connect. Is that roughly right?
3. What's the best place in the network to deploy the server? LAN, existing DMZ, or separate DMZ? Of course, the last is the hardest since it requires new hardware, but we've got ESX/ESXi on both the LAN and existing DMZ, so deploying the VM or building our own is straightforward. What are the security issues with deploying the server on the LAN?
4. What are the security differences between the VM and building a hardened Ubuntu 10.04 LTS, for example? I'm not an expert in this space, but I'm relatively comfortable with routine Linux sysadmin tasks, and have deployed small surface area SELinux machines before. Am I likely to find the VM better or worse than what I could roll easily myself?
5. I am considering OpenVPN as an alternative to the standard appliances (SonicWALL, Juniper, etc.) because it seems to have a reasonable feature set, seems mostly straighforward to manager, clearly handles my basic use case of username/password + client certificates, seems like it could handle OTP if we needed it, and has a built-in CA that simplifies certificate deployment, and essentially has a feature set beyond the SMB appliances and akin to the enterprise-level appliances at a fraction of the cost. Is it reasonable to think that deploying OpenVPN AS, especially as a VM, is really not any harder than deploying an appliance?
John L