OpenVPN Review

My solution for connecting two DRBD farms


What is our primary use case?

OpenVPN is an excellent candidate for establishing secure point-to-point connections between home office locations and satellite locations. It can be configured to limit exposure of the network, from just between the specific endpoints, all the way to full access between local area networks. Performance is consistent and positive. Security has been outstanding, passing some of the greatest tests we've put them to regulating bodies looking for vulnerabilities. If you're looking for a solid solution to establish VPN tunnels between sites, be sure to put OpenVPN on your list to check out.

How has it helped my organization?

OpenVPN has allowed me to have the ability to VPN into my environment from anywhere, using Open Source technologies, which helps me control my costs. My clients have capitalized on it when WAN alternatives were too expensive to consider. Yes, there are appliance equivalents out there, but for full customization and low cost, you can't beat it, in my opinion.

What is most valuable?

The features I have found to be most valuable are the levels of encryption I can enact and the compression I can apply to improve throughput. Obviously, the higher the level of encryption the more difficult it will be to intercept valuable content; and of course, the more we can compress data through the tunnel, the higher the level of relative throughput we can achieve.

What needs improvement?

The product is fully customized through configuration files, which is all achieved through manual data entry. This is where it becomes unattractive. If there was a Graphical User Interface to help streamline the configuration, I believe OpenVPN would probably venture more into the non-geek realm as it were. What I mean by this is, if there was a form-driven configuration process, like a "File -> Settings" kind of thing, where the end user can enter data into fields to specify the connection specifics, e.g. hostname/IP Address, protocols, etc. that could be written into the config file in the background, similar to what you see in YaST over in openSuSE in some of the services area, etc., and basically foolproof the VPN configuration, you may see more GUI-oriented folks using OpenVPN. Of course in saying this, I anticipate what's going to happen: "Well, give it a try, Elliott!" I'd love to, but my programming skills aren't there yet - I'm a "Edit the file" guy...

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

I have had a hard time trying to get OpenVPN to crash. I have achieved it on occasion when I am constantly breaking connectivity between the hosts, which I only do when I'm experimenting with things. Otherwise, once your configuration is stable, the tunnel remains stable.

What do I think about the scalability of the solution?

Scalability, as far as I can tell thus far, is limited to the hardware capabilities of your Linux router or host from which you intend to run OpenVPN.

How are customer service and technical support?

I cannot recall whether I worked with customer support on OpenVPN; being an Open Source project, when you have questions, you really end up working with fellow users in the OSS community. That being said, I can also say that the documentation for OpenVPN is outstanding. It gives you a full explanation of the product and case examples of how it can be applied. From there, you really need to start experimenting with it and post questions to the forums. You will find that people will respond and help you through your issues. People are happy to help out with products they've come to enjoy, and OpenVPN is one of those, as I think you'll find out.

If you previously used a different solution, which one did you use and why did you switch?

Prior to OpenVPN, I've had some experience with SonicWALL VPN, Fortinet, and CiscoVPN. All of these are fine alternatives, and I rarely experienced a problem using them. The big push for me to look at OpenVPN came when I started to work in heterogeneous environments, using both Windows and Linux.

As I started to discover the options available through the Linux platform, I naturally continued to expand my curiosity and experiment with the options I found. In many cases, I found some that were okay, but too unstable to really consider, and in others, I found outstanding products developed by some brilliant people.

OpenVPN became the perfect solution for me when I tried to connect two DRBD farms together and needed to encrypt the data stream between the two. It made sense to use the product from the host responsible for managing the DRBD stack, and simply add the remote farm via the tunnel. I then began to see other opportunities where I could apply it, and finally jumped in full force.

How was the initial setup?

Going through the setup for the first time will be a challenge. What I have done is write down a procedure to follow, that I have used every time since. I make modifications from time to time, as new features have been introduced, or old features have been replaced. Having a working set of config files available to use as a basis to build out new tunnels have been a blessing, too!

What about the implementation team?

The project I described previously, I developed on my own. I was then hired by my clients to deploy the solution for them. To be honest, I knew nothing about OpenVPN when I started, but I was able to come up to speed pretty quickly. And if I was able to do it, I have no doubt you can be successful, too!

What was our ROI?

Overall, I believe the ROI is high. The initial investment can be costly, as you go through the process of learning the application. But in the long run, you gain more than just financial benefits; the intellectual knowledge gained can be invaluable.

What's my experience with pricing, setup cost, and licensing?

With regard to setup cost, pricing and/or licensing, the simple answer is that you'll need to set aside some time to learn it and experiment with it. That's the only cost you will incur, with the exception of freeing up some hardware on which you can install Linux. OpenVPN is freely available through all of the major distributions. My experience thus far has been with openSUSE, which is a great platform for you to explore.

Which other solutions did I evaluate?

In my DRBD example above, I couldn't find a solution without introducing additional hardware between the two farms that either complicated access from authorized hosts or potentially impacted performance. I really needed it to occur at the point of management: the DRBD master of the farm. So, when I am asked, "Did you evaluate other options?", the short answer is "Yes", but on paper only; none of them could accomplish what I needed to achieve.

What other advice do I have?

You can see a quick description of the DRBD project I mentioned on my website along with a graphic showing the layout of it. Visit http://www.scottsolutions.us/p... for more details.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest
Sign Up with Email