View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions To VPN or not to VPN...
Log in to Ask a Question

To VPN or not to VPN...

general

Hey guys (& gals),

Newbie here. Please go easy on me… :)

I was wondering, when I run multiple VPS instances, i.e. multiple web servers, database servers, etc, should I combine all of these into a VPN? It seems logical to me to completely separate my VPS instances from the rest of Linode network but it turns out not an easy feat to get this up and running. E.g. I find the community guide [1] very difficult to follow, i.e. there seems to be a lot of context missing in this document.

So, do I really need a VPN and if so, does anyone know of any good tutorials out there on setting up a VPN "network", not a proxy to get onto the internet.

Thanks,

Luke

[1] https://www.linode.com/docs/networking/ … d-debian-7">https://www.linode.com/docs/networking/vpn/secure-communications-with-openvpn-on-ubuntu-12-04-precise-and-debian-7

5 Replies

For inter-server communication, I just have iptables set to whitelist the private IPs for each of my Linodes for services that should remain private. Way simpler than messing with OpenVPN. Here's the iptables rules for one of my servers:

[root@web masonm]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           /* 000 accept all icmp */ 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           /* 001 accept all to lo */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22 /* 002 accept SSH */ 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           /* 003 accept related established rules */ state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 80 /* 010 accept HTTP */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 443 /* 011 accept HTTPS */ 
ACCEPT     tcp  --  192.168.xxx.xxx      0.0.0.0/0           multiport dports 11211 /* 020 accept memcache for web.node1 */ 
ACCEPT     tcp  --  192.168.xxx.xxx      0.0.0.0/0           multiport dports 11211 /* 020 accept memcache for web.node3 */ 
ACCEPT     tcp  --  192.168.xxx.xxx      0.0.0.0/0           multiport dports 11211 /* 020 accept memcache for web.node4 */ 
ACCEPT     tcp  --  192.168.xxx.xxx      0.0.0.0/0           multiport dports 5666 /* 020 accept nrpe for ops */ 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           /* 999 drop all other requests */ 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           /* 999 drop forwarded packets */ 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Thanks for that.

That seems like an OK solution but how to secure the communication between Linodes? I mean, if e.g, a web server connects to a database server, do you create a secure connection or just use the connection as is?

I can imagine that not every connection would have to be secure but e.g. when authenticating etc. I'd assume you don't want Linodes of other user who happen to be one the same private network to be able to snoop the data?

Let me know what you think.

@northern:

Thanks for that.

That seems like an OK solution but how to secure the communication between Linodes?

Not necessary, because internal traffic can't be intercepted by other Linodes. Source: https://blog.linode.com/2008/03/14/priv … k-support/">https://blog.linode.com/2008/03/14/private-back-end-network-support/

"We filter traffic based on MAC and IP addresses. You can’t sniff traffic on the back-end LAN. You won’t see other people’s traffic. The only packets you’ll receive are those that are destined for your Linode. It works no differently from our public-networking filtering."

If you're paranoid, you may want to take advantage of any encryption your application offers for network traffic; e.g., MySQL can be configured to use SSL. This would especially be a benefit if for some reason you moved to another environment* that didn't isolate traffic the way Linode does.

*Not that I'm suggesting you'd ever want to leave Linode!

I looked into OpenVPN once but it looked more complicated than what I wanted to spend the time learning to configure. ssh tunnels or SSL built into products is usually all I need, if I needed just a little more configurability I'd consider stunnel. If I had a lot of and varied connections between peers/client/server I'd probably sit down and figure out OpenVPN, or possibly look into a commercial product.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct