I'm not totally wild about OpenVPN. If you asked me which I'd rather expose, SSH or OpenVPN, I'd have to flip a coin. In either case, it's easy to realize the "right" configuration, with a single "bastion" host (hate that word) that provides authorized clients with transparent access to servers.
One thing you can say for SSH is that it gets a lot more audit attention than OpenVPN does.
In either case, the problem I think most startups should move to solve early is multi-factor authentication. I have friends building things with Yubikeys, and others building things with SMS-based auth; either are better than straight passwords, which are (among other things) a policy nightmare.
OpenVPN can be configured to be stealthy (to start a connection, the first packet must be signed with a shared-secret, otherwise it doesn't respond), while SSH doesn't. And OpenVPN has the performance advantage (tunneling is done over UDP instead of SSH's TCP - TCP over TCP brings about a couple of performance problems, especially when there's congestion).
Multi-factor is a big deal, especially if you ever want to deal with credit cards at all. We looked at WiKID (open source two factor solution) but building a LDAP backed VPN solution around it was going to be a fair bit of work, so we ended up using PhoneFactor, which is a pretty cheap commercial offering using your cell phone instead of physical token. Big fan.
If you would rather use ssh than OpenVPN but still want the convenience of "direct" connections to computers on the other side of the gateway host, and you want to avoid the tcp-over-tcp slowness problem, try my sshuttle project: http://github.com/apenwarr/sshuttle
Yeah I'd go the ssh route myself. Nothing against OpenVPN, but the (or maybe another) big problem in this scenario is that people are using passwords to log into servers in the first place.
If they only thing you're planning to run over your VPN is SSH, then yeah, it's a coin toss whether you should run a VPN or just expose OpenSSH to the internet. But if you're planning on running anything else over your VPN, then I'd wildly disagree that the two are equivalent.
Someone else already mentioned the performance advantage, but just the user convenience advantage alone would be a deciding factor for me.
We have been using OpenVPN to secure one of our Rackspace servers dedicated to development for the last couple of years. We also have ejabberd running on that box (just talking to the vpn interface). It works great for distributed development and the internal secured jabber IMs are great for transferring sensitive stuff like passwords between remote folks. We also have a persistent conference room for a shared "watercooler".
The main problem we have is key management. Does anyone know of a good admin app for generating, storing and revoking keys?
I've been using tinyca2, which has a really nice gnome interface for managing a certificate authority. I'm really happy with it and it takes a lot of the pain out of CA and certificate management.
Interesting. We ran ejabberd over SSL for years without needing a VPN. Most DVCS' support SSH in some form or another. You might find SSH key management a bit easier.
tinc is really good little secret I have found if you want a true mesh P2P secure overlay network. It's open source, has a good community in freenode #tinc, and really easy to install and use, just read the man page http://linux.die.net/man/5/tinc.conf
I strongly recommend not relying on the VPN written in C that nobody's heard of that uses a hand-rolled custom RSA authentication algorithm to authenticate connections for your perimeter security.
can you tell me what the actual difference between OpenVPN and tinc is? I know OpenVPN very well and really like it. Why would I prefer tinc over OpenVPN (or the other way around)?
In my opinion, they share a lot of the same features like running in userspace, easy configuration, ssl/certificate based authentication - just the same.
we are doing that in our production environment. We use different boxes (1 on US and 2 on EU), they are connected with openvpn to serv our different needs.
Our personal development boxes are also connected to each others using OPENVPN and firewalled. All the internal code made for our app is using the VPN ips, and every application is listening on these IP only (not localhost nor 0.0.0.0)
The lines between the nodes were actually meant to show that those nodes use the Rackspace internal network (ServiceNet) for communication - see the colored labels on the diagram.
[+] [-] tptacek|15 years ago|reply
One thing you can say for SSH is that it gets a lot more audit attention than OpenVPN does.
In either case, the problem I think most startups should move to solve early is multi-factor authentication. I have friends building things with Yubikeys, and others building things with SMS-based auth; either are better than straight passwords, which are (among other things) a policy nightmare.
[+] [-] CrLf|15 years ago|reply
[+] [-] modoc|15 years ago|reply
[+] [-] apenwarr|15 years ago|reply
[+] [-] ams6110|15 years ago|reply
[+] [-] theBobMcCormick|15 years ago|reply
Someone else already mentioned the performance advantage, but just the user convenience advantage alone would be a deciding factor for me.
[+] [-] acqq|15 years ago|reply
[+] [-] dugmartin|15 years ago|reply
The main problem we have is key management. Does anyone know of a good admin app for generating, storing and revoking keys?
[+] [-] trafficlight|15 years ago|reply
I've been looking around for an admin app as well. It would be even better if I could tie it into an intranet site as well.
[+] [-] thwarted|15 years ago|reply
[+] [-] _b8r0|15 years ago|reply
[+] [-] aguynamedben|15 years ago|reply
http://tinc-vpn.org/
[+] [-] tptacek|15 years ago|reply
[+] [-] pilif|15 years ago|reply
In my opinion, they share a lot of the same features like running in userspace, easy configuration, ssl/certificate based authentication - just the same.
[+] [-] ritonlajoie|15 years ago|reply
Our personal development boxes are also connected to each others using OPENVPN and firewalled. All the internal code made for our app is using the VPN ips, and every application is listening on these IP only (not localhost nor 0.0.0.0)
(applications are mysql/couchdb/git/apache)
That's pretty great !
[+] [-] trun|15 years ago|reply
[+] [-] steve19|15 years ago|reply
[+] [-] pmjordan|15 years ago|reply
[+] [-] trefn|15 years ago|reply
[+] [-] lobo-tuerto|15 years ago|reply
Just to illustrate what network interfaces you would use for communicating between server processes.