Large VPN network (~600 servers) with OpenVPN
I'm doing a preliminary study for a contract to build a VPN network between ~600 remote servers running Linux CentOS 6 (+ their 600 private LANs). The network is supposed to be star-based, so that each remote server connects to a central server(s) to enter the VPN (I know it's a SPOF but that's OK because the main application for which this VPN is built will run on the central server anyway).
I would like to use OpenVPN (it's really flexible and can be tuned to the configuration we need), but I was wondering what are the best practices for running it on such a large network. For instance, if used in tun mode, it would create 600 tun interfaces on the central server(s), which I don't even know if it's supported and/or creates any problem.
I don't have any experience with such a large network, so I'm open to any kind of suggestion and pointers. Thanks!
Check out tinc. Its a simpler daemon that auto-negotiates routes. So at first connections look like a star, but if its closer for two servers to connect directly, they do that. Also because each box only has to be configured to connect to a master node once, adding a new server means you don't have to update the configuration on all of the existing servers. With ~600 servers that would become painful quickly.
http://tinc-vpn.org/
With OpenVPN AFAIK, you only create one tun interface on the central server and then all the connecting nodes are located in this interface's subnet. So you will not run into any limitations on this side.
I have a similar VPN set up even though not to the scale that you are mentionning. We have 80 servers with 80 /24LANs behind them. We use OpenVPN and it works great. The main problem we had was bandwidth overload due to bad supervision and bad planning. That many servers can easily reach 100Mbit/s so you have to plan carefully. Depends on your use that is true but that's the main problem we had.
Configuration-wise, you have to use client specific configuration tying a VPN certificate to a specific route. This can be done with the ccd directory. Keep your configuration clean because with that many servers it can quickly become a mess. Create a little script for yourself to generate the keys rapidly because it will take a while with so many keys. You can just modify the OpenVPN utils to execute silently. Set a long certificate expiry time if security is not much an issue, re-issuing 600 certificates has got to be painful.