Site-to-site OpenVPN with Certificates - best practice
-
I currently have a number of sites with peer-to-peer shared key OpenVPN tunnels between them. For example:
3 main sites (M1, M2, M3)
9 small sites (S1 to S9)
Each small site has 3 clients, connecting to M1, M2 and M3.
Each main site has 9 OpenVPN server instances - each one listening on a different port for the incoming connect from a small site.
Each main site also has 1 server and 1 client in a triangle M1<->M2<->M3<->M1 directly connecting the main sites to each other.
So a main site has a total of 10 OpenVPN server and 1 OpenVPN client instance. Clearly this does not scale so well as the number of sites grows.I can combine the 10 OpenVPN server instances into 1 by using Peer-to-Peer (SSL/TLS) and having all the clients connect to 1 server instance at a main site. I don't currently have (or need) any external certificate for my organisation. I can get things working OK, but before diving in and creating lots of stuff that is hard to change later, I would like some feedback, what is the best practice for making certificate authorities and certificates:
- Top-level self-signed CA:
a) Make a different top-level self-signed CA at each main site; or
b) Make 1 top-level self-signed CA at M1, then also install it at M2 and M3; or ? - Intermediate CA - is it good to make an Intermediate CA for each site router (maybe if (1b) is done)?
- Then I make a server certificate for each OpenVPN server instance (3 in total), and client certificates (10 to use with each server - total 30 overall) based on either the Intermediate or top-level self-signed CA?
At each client I will have to import the client certificates for that client (3 - 1 for connecting to each server), plus the Intermediate CA, and maybe also the Top-level self-signed CA.
4) In this sort of setup, we are being our own Certificate Authority, so every router needs the CA chain locally installed so it can establish trust locally - yes?- What good practice suggestions do you have for the common name of certificates?
I am using 2.1-BETA1 so am able to use the latest bells-and-whistles in the GUI.
- Top-level self-signed CA:
-
Just make one CA for each "class" of VPN.
One just for the site-to-site.
Separate ones for each remote access that has a different set of access restrictions.
Trying to do a large structure and intermediates is just over-complicating it for very little, if any, benefit.