Hi HN,
Does anyone have experience setting up a VPN between backend machines (web tier, database tier, ...) across both Windows and Linux machines - without a hardware router/firewall controlling the VPN?
I've investigated OpenVPN, stunnel and tinc (http://www.tinc-vpn.org/) and so far tinc seems the most suitable but needs further research on my behalf.
The requirements are what you'd expect for a production environment:
1) Private LAN IPs between hosts
2) Encrypted traffic across the VPN
3) No SPOF with regards to the VPN host
4) Routing efficient (local machines in the same data center should send packets direct to each other, and not via a "router" machine)
EDIT: This is to manage a network between cloud services (Azure) and dedicated hardware.
Cheers
As far as SPOF, you set up multiple servers on the server side with different external ips, handing out different ranges of vpn ip addresses. In the client config, you list multiple servers that the client is allowed to connect to.
So, in my setup, I have 10.1.0.0/24 as the LAN Two vpn servers with different external ips, LAN ips, and a vpn (tun interface) ip with different subnets (10.8.1.0/24 and 10.8.2.0/24). The clients are given the two external ips as servers to connect to and they'll be given an ip address for their tun interface on the respective subnet for the server they connected to.
Here are some configs to take a look at: http://pastebin.com/TL95UfzU
You'll need to go through the bit of the tutorial for creating the server keys and keys for the clients.