[CentOS] regarding vpn server for 1500 clients

Les Mikesell lesmikesell at gmail.com
Sun Dec 21 18:38:09 UTC 2008


Dhaval Thakar wrote:
> 
>>>> If you could use a lower CPU intensive crypt like blowfish, it would be
>>>> easier.
>>>>
>>>> Are all these trading partners in different locations or are there semi
>>>> large
>>>> groups in the same locations?
>>>>
>>> all these are end users.
>>> they connect software from home / offices.
>> Do they actually need a generic VPN?  If they only run a few
>> applications you might be able to use https or similar ssl based
>> connections and avoid the routing/addressing/MTU issues.  You can still
>> use certificate based authentication in one or both directions if you
>> want.
>>
>> Also if the application(s) can be made to run over normal https (i.e. a
>> web interface) you get the advantage of working though most existing
>> proxies and firewalls, plus on the host end you have the option of
>> scaling up with a load balancer that handles the ssl processing and
>> reverse-proxies to a pool of backend servers.

> they need database access.
> I prefre providing database over vpn rather providing via internet on
> different tcp port.

Remote database access is often better handled through web forms than 
direct remote client access - depending on the application, of course.

A vpn will work, but it adds a lot of unnecessary overhead in terms of 
losing MTU for packet encapsulation and managing addressing and routing 
through the tunnels.  Plus, if the remotes are in other company's 
offices you'll have to fight their corporate firewall policies to get 
your tunnel packets through, especially if you run over udp.  And then 
you'll have to firewall all the other stuff on your end that the vpn 
would otherwise permit access to.

For any single application/port connection you could use stunnel - or 
use a database that does ssl on its own.

-- 
   Les Mikesell
    lesmikesell at gmail.com



More information about the CentOS mailing list