Multi-server VPN network, sharing certificates??

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Letalis
OpenVpn Newbie
Posts: 3
Joined: Mon Sep 14, 2020 11:46 am

Multi-server VPN network, sharing certificates??

Post by Letalis » Mon Sep 14, 2020 12:11 pm

Hi, I've used linux a fair bit in my past and have always been interested in servers and networks and recently took it upon myself to try and make a VPN network for me and some friends to be able to use. So far I have one server that I can connect to through my windows client application I made with a series of different test clients that share bandwidth equally and it all seems to be working great.

My next step was to attempt something similar to what the big VPN service providers do, and have a few OpenVPN servers that can work in conjunction so that more clients would be able to join. Eg: if I give each client 50mbps on a 1gbps server I have around 20 clients at the most that can join, if I want anymore I would need some other fallback servers.

Since each server will have different certificates my initial idea was to generate an indidual .ovpn file for each client on each server when a user is created on my website I'm currently working on. These files would get sent back to the main web server and zipped ready to be downloaded by the windows client app. Then the client would be able to randomly select a file from this archive and attempt to connect to one, moving on to the next if the connection was unsuccessful.

All that seems fairly complex though and before I implement such a thing on my web server I want to make sure I'm going about this the right way. Since I've not really had much dealings with networking and servers in the past I'm just trying to create my own solutions for issues like these since I can't really find much information about it online.

So now comes the actual question: Am I actually over-complicating this setup and is there an easier way I can go about doing this?
Is there a way that I can make all my servers share the same ca.crt, and client certificates and keys or would that cause a potential security concern? I ask this since if I can use the same certificates, I only need the singular <ca> <cert><key> and <tls-crypt> tags, and can then list all my servers in the config as fallback servers like:

Code: Select all

remote my.server1.com 443
remote my.server2.com 443
remote-random
If i can set it up like that then maybe I will only need one .ovpn file for each client which would be a lot easier to keep track of. If not would the .ovpn archive for each client work, or is there a better way by which that VPN providers do this?

Any help would be greatly appreciated. Thanks

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: Multi-server VPN network, sharing certificates??

Post by TinCanTech » Mon Sep 14, 2020 1:58 pm

Letalis wrote:
Mon Sep 14, 2020 12:11 pm
Is there a way that I can make all my servers share the same ca.crt
The same way everybody else does .. download EasyRSA3 and get on with it.
https://github.com/OpenVPN/easy-rsa/releases

You may also be interested in TLS-Crypt-V2 key, which are client specific TLS keys.
https://github.com/TinCanTech/easy-tls

The two scripts work in tandem.

Letalis
OpenVpn Newbie
Posts: 3
Joined: Mon Sep 14, 2020 11:46 am

Re: Multi-server VPN network, sharing certificates??

Post by Letalis » Mon Sep 14, 2020 2:16 pm

Okay thanks for the reply, so will these two scripts allow me to make a .ovpn file for each client that has "universal" certificates which should in theory work on all my different servers?

Letalis
OpenVpn Newbie
Posts: 3
Joined: Mon Sep 14, 2020 11:46 am

Re: Multi-server VPN network, sharing certificates??

Post by Letalis » Mon Sep 14, 2020 2:57 pm

Just for a little more info, I setup my server using this easy setup script on Ubuntu: https://github.com/Nyr/openvpn-install
I've already got easy-rsa downloaded and have a ca and some client keys.
I'm very new to certificates and security which is why I'm struggling with this particular part, now I have this ca and if I use your script for my client specific TLS keys, how do I go about moving these to my other servers?

My end goal is to be able to have a .ovpn file for each client, with one set of certificates that will work on all servers, so I can then add all the servers into that config as fallback's.

Post Reply