New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Good specs for OpenVPN server (~100 users)
TheGreatOakley
Member
Hi!
I think this is more non-related question, but maybe you have a minute. I am about to setup OpenVPN for the company and I have hard time with picking the right dedicated servers. There is around 100 workers, but I guess there will be activate at the same time around 50. They will tunnel whole traffic.
The person who is in the charge of infra got fired and replaced with me temporary. I know what OpenVPN consumes more CPU and we need good bandwidth. But there should I start? Anyone here had same situation, or perhaps works in vpn business?
What kind of specs would you suggest? Thanks 
Comments
Openvpn is single threaded, so I would suggest something like an i7 at 4ghz+ to be able to handle more people at a time.
Or switch them to wireguard and get any modern CPU and reap the benefits.
Thanks!
Unfortunately wireguard is still too young to use in the company. It's okay to use privately.
That's interesting. Even for multiple connections?
Wireguard may be younger but that does not mean it is not reliable. From my experience, it is more fault tolerance in terms of both setting up and maintaining a vpn server than OpenVPN - Easy to set up and maintain.
And wireguard is fast!!!
Can it be like this?
You split users into 3-4 groups using 3-4 VPN servers
Your infra firewall allow traffic only <-> VPN servers (e.g. 3-4 VPN server IPs)
Just stop it already. He doesn't want cheap, fast, simple in a tiny and audited codebase. He works in a corporate environment and for fuck's sake they want it to be done like in good old days, smudging their shit onto cave walls.
I still can't get it. Is wireguard has any clients like OpenVPN for windows non-cli app?
Tunsafe.
Simple interface and works like charm.
Wireguard dev. has also been developing windows client and we will see their own version soon as well.
It's utterly meaningless to recommend anything without knowing what bandwidth you have available.
It might also be helpful to tell what router and firewall hardware you already have.
I'm pretty sure one of the higher-ops said 'I want OpenVPN. Period.'
wireguard is an oasis for vpn community. Rescuer!!!
We are just looking for dedi. From 300MBps to 1GBps at least.
Based on that info and what you provided before (50 - 100 users) I'd suggest either
both with mildly generous memory (4 - 8 GB). The Alix solution is compact but less versatile while the "build your own server based on a J4105 mainboard" solution is more cumbersome (to build).
Both are low power 4 core processors, the J4105 a bit more performant.
What you need to understand is that
There is a way to cope with openvpn's severely limited design: multiple processes listening on multiple ports.
You can do that because your use case is a classical closed user group one. So, you'd simply hand out/install slightly different client setups and those boards/boxes I recommended will happily cope with the load you throw at them.
But note (important! Read this!): The very same reason (CUG scenario) also allows you to forget openvpn and use wireguard! You should seriously look at that alternative.
Small stuff: Typically those main boards offer some M2 socket; useful for OS, logging etc. Both boards also offer >= 1 Sata socket; I suggest you use that for backup. Also be sure that (if you go the J4105 route) you chose a good quality mainboard (e.g. Asus); it's strongly preferable to have intel networking chips.
Thanks for the info. I see. It's going to be hard to convince upper management to switch to Wireguard. Let's say we have X dedicated server which can handle 50-100 users. How much could Wireguard handle? Let's not include uplink.
It shouldn't be. You have a classical CUG scenario and have no reason to care about established de facto "standards" (like openvpn). Another point is the fact that, no matter whether you like it or not, openvpn is a lousy solution without any sensible provisions to use the power of omni-present multi-core systems.
Finally, the crypto of WireGuard is at least as good as openvpn's. In fact I take it to be considerably better. With openvpn I could preach all day long about weaknesses, with WireGuard however I'm fine; if I wanted to complain it would be about "all eggs in one basket" (full djb crypto plus (quite closely linked) Blake2, which however has proven to be an axcellent choice with an excellent reputation) and about their KDF which is not bad but neither the best choice.Argon would have been better.
The fact that INRIA (a top-5 authority in that field) have verified the WireGuard protocol and crypto also is a big plus.
In summary I'd chose WireGuard over openvpn every day, except for some situations where "our insurance demands ...["standard"]" is a priority.
In terms of security I do see that WireGuard is quite a bit away from 1.0 but I also see quality of crypto and code and the fact that the code can be reasonably verified which is next to impossible for openvpn. All in all I take WireGuard to be no less secure than openvpn and having a very high potential to be considerably more secure in the near future.
One point that is often overlooked but might in fact be of dramatic importance is the Windows client situation because there one needs a third party implementation (tunGuard iirc) which may or may not be of good quality. I personally wouldn't trust it but then I almost never use Windows and need not care.
Summarizing it somewhat brutally: OpenVpn is the accepted de facto "standard" but WireGuard delivers way better real security (if you only have Unix systems). Plus the WireGuard server has a proper server design while openvpn has a ridiculous hobby "design".
Many times more. You can get an idea when you compare old apache (processes only) vs nginx (Disclaimer: this is technically not really correct but close enough to give you a first idea).
no one mention softether?
Only you
Do you have any idea why you choose OpenVPN instead of any VPN service?
So we can say for sure what actually you need.
Based on own practice, I would say that 100 active connections would consume ~ 1GB of memory. CPU – it’s very depends on encryption type and traffic, but in common situation 2 vCPUs with 2GHz frequency should deal with traffic up to 1Gbps.
I also think that if you can't go with Wireguard (which is the superior solution imo) and you're stuck with OpenVPN, you should probably look into SoftEther's implementation.
As it came up: I did not recommend SoftEther mainly for two reasons. (a) The context is company use and (b) I don't trust SoftEther. It's visibly written in a Windows mindset, his declarations re. security clearly show that his understanding fo security is very limited and so does the source code. Plus SoftEther being able to basically emulate a whole lot of other solutions from Cisco to IPSec and openvpn strongly suggests that security was not a concern but an afterthought at best.
As a result I'd consider SoftEther to be an interesting project for many things (study, research, playing,...) but not as something I's seriously consider for company (or other serious) use.
WireGuard on the other hand clearly shows that all the relevant factors have been considered from the start. Plus critical parts actually have been formally verified. The big minus is the missing official Windows version which may or may not be critical for users. I personally don't care, most companies however absolute need official Windows support.
I use the only and one Tunsafe for Wireguard windows client for now.
While Tunsafe is not supported by Wireguard dev., it works like a charm.
It seems that Tunsafe is 100% committed no matter what.
Wireguard developers are, meanwhile, rumored soon to release its own Windows version.
And many are now saying that due to a huge potential market share, lots of windows clients for Wireguard will appear in the next few years.
C) Cocks
Do you want to fight?
They did release it
🐓
Could you provide me with a link to it?
http://bfy.tw/NyvI
Literally the first result.
Is it Windows "client?"
Yes.
Thank you.