To VPN or not to VPN...

For inter-server communication, I just have iptables set to whitelist the private IPs for each of my Linodes for services that should remain private. Way simpler than messing with OpenVPN. Here's the iptables rules for one of my servers:

[root@web masonm]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           /* 000 accept all icmp */ 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           /* 001 accept all to lo */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22 /* 002 accept SSH */ 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           /* 003 accept related established rules */ state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 80 /* 010 accept HTTP */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 443 /* 011 accept HTTPS */ 
ACCEPT     tcp  --  192.168.xxx.xxx      0.0.0.0/0           multiport dports 11211 /* 020 accept memcache for web.node1 */ 
ACCEPT     tcp  --  192.168.xxx.xxx      0.0.0.0/0           multiport dports 11211 /* 020 accept memcache for web.node3 */ 
ACCEPT     tcp  --  192.168.xxx.xxx      0.0.0.0/0           multiport dports 11211 /* 020 accept memcache for web.node4 */ 
ACCEPT     tcp  --  192.168.xxx.xxx      0.0.0.0/0           multiport dports 5666 /* 020 accept nrpe for ops */ 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           /* 999 drop all other requests */ 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           /* 999 drop forwarded packets */ 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Thanks for that.

That seems like an OK solution but how to secure the communication between Linodes? I mean, if e.g, a web server connects to a database server, do you create a secure connection or just use the connection as is?

I can imagine that not every connection would have to be secure but e.g. when authenticating etc. I'd assume you don't want Linodes of other user who happen to be one the same private network to be able to snoop the data?

Let me know what you think.

@northern:

Thanks for that.

That seems like an OK solution but how to secure the communication between Linodes?

Not necessary, because internal traffic can't be intercepted by other Linodes. Source: https://blog.linode.com/2008/03/14/priv … k-support/">https://blog.linode.com/2008/03/14/private-back-end-network-support/

"We filter traffic based on MAC and IP addresses. You can’t sniff traffic on the back-end LAN. You won’t see other people’s traffic. The only packets you’ll receive are those that are destined for your Linode. It works no differently from our public-networking filtering."

If you're paranoid, you may want to take advantage of any encryption your application offers for network traffic; e.g., MySQL can be configured to use SSL. This would especially be a benefit if for some reason you moved to another environment* that didn't isolate traffic the way Linode does.

*Not that I'm suggesting you'd ever want to leave Linode!

I looked into OpenVPN once but it looked more complicated than what I wanted to spend the time learning to configure. ssh tunnels or SSL built into products is usually all I need, if I needed just a little more configurability I'd consider stunnel. If I had a lot of and varied connections between peers/client/server I'd probably sit down and figure out OpenVPN, or possibly look into a commercial product.