We just created a cluster of 12 nodes and wanted to have OpenVPN for many of the communications need to be 100% secure between each computer (we do not have access to a 100% secure/private environment so we have to have encryption between computers.)
So we have a setup that looks like this:
+------------------+
| |
| OpenVPN Server |
| |
+------------------+
^
|
+-----+------+----------------+----------+
| | . |
| | . |
v v . v
+------------------+ +------------------+ ..... +------------------+
| | | | . . | |
| OpenVPN Client | | OpenVPN Client | . . | OpenVPN Client |
| A | | B | . . | n |
+------------------+ +------------------+ ..... +------------------+
The OpenVPN Server is one of the 12 computers and we noticed it going berserk whenever any client communicates with another client. Looking at the firewall info, we can clearly see that clients do not communicate between each others. Instead, all the data is sent to the server, then forward to another client (i.e. from client A to client B, we see the transfer going from A to Server, then Server to B.)
What I'm wondering is this:
Is A given the public key of B whenever it wants to send data to B? I would imagine it is not because it would require for the OpenVPN client code to know that the data is being sent to B. So if I understand properly, what is happening is:
- Client A encrypts its data with the server public key.
- Client A sends that encrypted blob to the server.
- The server uses its private key to decrypt the blob.
- The server determines where it is forwarding the blob.
- The server re-encrypts the data with Client B public key.
- The server sends that newly encrypted blob to the client.
- Client B uses its private key to decrypt the blob.
In other words, it really looks like this:
+------------------+
| |
| OpenVPN Server |<-----------------------+
| | |
+------------------+ |
^ ^ ^ |
| | . |
| | . |
| | .................. |
| | . |
v v v v
+------------------+ +------------------+ ..... +------------------+
| | | | . . | |
| OpenVPN Client | | OpenVPN Client | . . | OpenVPN Client |
| A | | B | . . | n |
+------------------+ +------------------+ ..... +------------------+
Is that correct? I tried to find something like that in the documentation and could only find things on how to install OpenVPN (which we did and it works, but it seems rather slow! Much slower than I expected.)
Best Answer
Yes, an OpenVPN client-server configuration looks like your second diagram. The tunnels are between the OpenVPN server and the OpenVPN clients. The OpenVPN server decrypts the data coming from the one tunnel and encrypts it into another tunnel.
You can implement your first diagram with OpenVPN using a peer-to-peer architecture instead of a client-server one. You need to setup a VPN tunnel for each pair of machines in your network: each node has n VPN tunnels for a total of n² tunnels (which is not that convenient).
You analysis of what is happening is mostly correct except for one part. The public/private keys are not (directly) used to encrypt/decrypt the packets in to/out of the tunnel. Instead, they are used to authenticate the tunnel and negociate symmetric session keys used for the actual encryption/decryption (and MAC).