Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-site OpenVPN with Certificates - best practice

    OpenVPN
    2
    2
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phil.davis
      last edited by

      I currently have a number of sites with peer-to-peer shared key OpenVPN tunnels between them. For example:
      3 main sites (M1, M2, M3)
      9 small sites (S1 to S9)
      Each small site has 3 clients, connecting to M1, M2 and M3.
      Each main site has 9 OpenVPN server instances - each one listening on a different port for the incoming connect from a small site.
      Each main site also has 1 server and 1 client in a triangle M1<->M2<->M3<->M1 directly connecting the main sites to each other.
      So a main site has a total of 10 OpenVPN server and 1 OpenVPN client instance. Clearly this does not scale so well as the number of sites grows.

      I can combine the 10 OpenVPN server instances into 1 by using Peer-to-Peer (SSL/TLS) and having all the clients connect to 1 server instance at a main site. I don't currently have (or need) any external certificate for my organisation. I can get things working OK, but before diving in and creating lots of stuff that is hard to change later, I would like some feedback, what is the best practice for making certificate authorities and certificates:

      1. Top-level self-signed CA:
          a) Make a different top-level self-signed CA at each main site; or
          b) Make 1 top-level self-signed CA at M1, then also install it at M2 and M3; or ?
      2. Intermediate CA - is it good to make an Intermediate CA for each site router (maybe if (1b) is done)?
      3. Then I make a server certificate for each OpenVPN server instance (3 in total), and client certificates (10 to use with each server - total 30 overall) based on either the Intermediate or top-level self-signed CA?

      At each client I will have to import the client certificates for that client (3 - 1 for connecting to each server), plus the Intermediate CA, and maybe also the Top-level self-signed CA.
      4) In this sort of setup, we are being our own Certificate Authority, so every router needs the CA chain locally installed so it can establish trust locally - yes?

      1. What good practice suggestions do you have for the common name of certificates?

      I am using 2.1-BETA1 so am able to use the latest bells-and-whistles in the GUI.

      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Just make one CA for each "class" of VPN.

        One just for the site-to-site.

        Separate ones for each remote access that has a different set of access restrictions.

        Trying to do a large structure and intermediates is just over-complicating it for very little, if any, benefit.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.