Suggestions for VPN solution between backend servers

Question

I am using a rackspace cloud environment to host a server farm. The problem i've run into is that Rackspace shares all internal network traffic on a single subnet (or rather, all the servers in what they call a 'huddle'). This is not ideal, as I need to pass some sensitive information between servers and do not want to take the risk of being sniffed. We could use ssl, but that would require a great deal of re-architecting the application.

Rackspace suggested creatinga VPN between servers. This seems like the easiest solution at this point, however, i'm looking for a vpn solution that is stable and works well in a backend server environment with lots of traffic.

The servers are a mix of Windows and Linux servers. Keep in mind that the vpn has to work without an interactive user logged in. As such, it has to be something that is service friendly. So, client-side vpn's like Hamachi aren't really viable, nor do I want a solution that requires an outside server.

Any suggestions?

EDIT:

I'd like to avoid any options that require a great deal of configuration to make work. This leaves out IPSec and OpenVPN (both of which give you very powerful low-level control, but require a lot of configuration)

EDIT2:

I thought it was relatively obvious from my requirements, but I cannot have a point-to-point solution, it needs to be a private subnet not clients connecting to a single server. And I definitely don't want to create configurations to connect to the entire set of permutations of servers.

Well I was going to say it isn't that complicated to setup L2TP/Ipsec with Openswan on CentOS, but you edited your question to exclude IPSec. — hobodave, Sep 25 '10 at 20:50
Don't they offer VLANs? That should have no impact on resources and stable. Alternatively, OpenVPN is definitively not complicated nor does it require a great deal of configuration to make it work. — Unreason, Sep 27 '10 at 16:09
No, they don't offer vlans. OpenVPN is simple only if you have a single point to point configuration, it gets very complex after that. — Erik Funkenbusch, Sep 28 '10 at 16:59

Joris · Accepted Answer · 2010-09-25T19:13:20.357

6

tinc does exactly what you want; although automated deployment would require extra scripting.

Edit: highlights:

User space tun/tap daemon, runs at least on win + lin, without user interaction
Creates a single virtual nic on a hub/switch (layer 2) or router (layer 3) (depending on config) for your entire cloud, so no N^2 cross-tunnels or gateways required for a full any-to-any
ipv6 compatible (in fact in use at some pops on ipv6 tunnel system sixxs)
Smaller community, but very knowledgeable and helpful

edited Sep 25 '10 at 19:13

answered Sep 25 '10 at 19:05

Joris

5,939
1
15
13

This looks promising. Yes, i'm looking at about 20 servers, so i don't want to have to have point to point systems. – Erik Funkenbusch Sep 25 '10 at 19:51

score 2 · Answer 2 · edited Sep 25 '10 at 20:18

2

Most stable decision OpenVPN and IPsec. Stunnel is very easy, try it first.

edited Sep 25 '10 at 20:18

pQd

29,561
5
64
106

answered Sep 25 '10 at 18:51

bindbn

5,153
2
26
23

Nice, listing the hardest solution on every level. – Joris Sep 25 '10 at 19:07
4

OpenVPN just isn't hard, in any way. – tomfanning Sep 25 '10 at 20:10
No, it's not hard at all.. that's why their mailing list is inundated with people trying to make it work. OpenVPN is easy if you have a simple configuration. It gets very complicated very quickly. – Erik Funkenbusch Sep 25 '10 at 20:15
1

thumbs up for openvpn. but ipsec - i would not go that way - standard-based - yes, but setting this up - no, thanks. – pQd Sep 25 '10 at 20:19
+1 for Stunnel. Simplest to set up without having to really touch your app. – JustinShoffstall Sep 25 '10 at 20:09
From the Stunnel home page: "On NT it can only be run from a command prompt (DOS window,) not as a true NT service." It lists various hacks, but that's not a professional solution. – Erik Funkenbusch Sep 25 '10 at 20:27

score 0 · Answer 3 · answered Sep 25 '10 at 19:11

0

Can you configure IPSec to encrypt the network traffic? This wouldn't require any changes to the application code, just a quick config change on your servers.

answered Sep 25 '10 at 19:11

mrdenny

27,074
4
40
68

IPsec between Windows and Linux are not very quick decision – bindbn Sep 25 '10 at 19:18
Yeah, i've alrady wasted a lot of time trying to get windows and linux to talk to each other via IPSec. I'm sure it can be done, but wow... – Erik Funkenbusch Sep 25 '10 at 19:53
I've never done a Windows to Linux IPSec. Getting it setup for Windows to Windows should be pretty easy. Then it's just the linux part. – mrdenny Sep 25 '10 at 20:41

score 0 · Answer 4 · answered Sep 26 '10 at 07:30

0

You didn't say if you wanted a mesh or single server to multiple client setup. For a single server setup, OpenVPN is easy and works. Never tried a mesh setup with OpenVPN.

answered Sep 26 '10 at 07:30

Porch

680
5
12

It's not a single server multiple client setup. Some clients talk to each other, some talk to the database server. At some point we will have to cluster the database servers, etc.. Point to point just doesn't work. And I don't want all traffic going through a central server (that's a single point of failure) – Erik Funkenbusch Sep 26 '10 at 17:15

Suggestions for VPN solution between backend servers

4 Answers4