9

I'm doing a preliminary study for a contract to build a VPN network between ~600 remote servers running Linux CentOS 6 (+ their 600 private LANs). The network is supposed to be star-based, so that each remote server connects to a central server(s) to enter the VPN (I know it's a SPOF but that's OK because the main application for which this VPN is built will run on the central server anyway).

I would like to use OpenVPN (it's really flexible and can be tuned to the configuration we need), but I was wondering what are the best practices for running it on such a large network. For instance, if used in tun mode, it would create 600 tun interfaces on the central server(s), which I don't even know if it's supported and/or creates any problem.

I don't have any experience with such a large network, so I'm open to any kind of suggestion and pointers. Thanks!

Giovanni Bajo
  • 405
  • 3
  • 9

2 Answers2

4

Check out tinc. Its a simpler daemon that auto-negotiates routes. So at first connections look like a star, but if its closer for two servers to connect directly, they do that. Also because each box only has to be configured to connect to a master node once, adding a new server means you don't have to update the configuration on all of the existing servers. With ~600 servers that would become painful quickly.

http://tinc-vpn.org/

n8whnp
  • 1,316
  • 7
  • 9
4

With OpenVPN AFAIK, you only create one tun interface on the central server and then all the connecting nodes are located in this interface's subnet. So you will not run into any limitations on this side.

I have a similar VPN set up even though not to the scale that you are mentionning. We have 80 servers with 80 /24LANs behind them. We use OpenVPN and it works great. The main problem we had was bandwidth overload due to bad supervision and bad planning. That many servers can easily reach 100Mbit/s so you have to plan carefully. Depends on your use that is true but that's the main problem we had.

Configuration-wise, you have to use client specific configuration tying a VPN certificate to a specific route. This can be done with the ccd directory. Keep your configuration clean because with that many servers it can quickly become a mess. Create a little script for yourself to generate the keys rapidly because it will take a while with so many keys. You can just modify the OpenVPN utils to execute silently. Set a long certificate expiry time if security is not much an issue, re-issuing 600 certificates has got to be painful.

Antoine Benkemoun
  • 7,314
  • 3
  • 41
  • 60
  • Sorry I don't follow, which specific 100Mbit/s interface was being overloaded? – Giovanni Bajo Nov 05 '11 at 16:20
  • The 100Mbit/s interface of the VPN server as all the LAN to LAN traffic would use that interface in and out. 1bit of data LAN to LAN was one bit out and one bit in of the VPN server's interface. That adds up quickly. – Antoine Benkemoun Nov 05 '11 at 16:26