We often receive questions about running Replify on an OpenVPN connection, in particular to allow accelerated VPN access for home workers. In this post, we’ll describe how Replify WAN Acceleration can be set up for that scenario.
For Replify Accelerator to be able to optimize traffic on a slow network using OpenVPN, you need to deploy Replify Accelerator nodes on each end of that network.
The second stage of the deployment is to tell each of these nodes that the other exists. Replify refers to this process as peering.
A larger deployment may have many servers deployed in a mesh formation. Each of these nodes need to be able to communicate with every other node.
This is fine on a private network but if you are exposing your appliances on the public internet, what’s to stop anyone connecting to your publicly hosted appliance and obtaining (optimized) access to your application servers? Enter Secure Peer Authentication.
Secure Peer Authentication and Public Key Infrastructure (PKI)
Secure Peer Authentication is a Replify mechanism whereby you can secure your Replify Accelerator deployment using a Public Key Infrastructure. This means two things:
- Firstly, when your Accelerator node connects to a remote node, it checks the identity of the remote node before deciding to trust it.
- Secondly, when your node receives a connection from a remote node, it checks the identity of the connecting node before trusting it.
These steps ensure that no interlopers are using your VA either for free or as a means to access your internal network.
The configuration for this is straight-forward at a technical level but requires a some careful management. Let’s say you have one hundred users all accessing an appliance. To configure secure peering correctly, you need to generate one hundred separate certificates, roll them out and manage them. For example, if an employee leaves your company, you need to revoke their certificate.
While this may seem complex, this type of security is not unique to Replify Accelerator. Chances are that you are doing something similar for other products.
Replify and OpenVPN
If you are using OpenVPN to provide VPN access to your network each OpenVPN user has their own client certificate and key. Each OpenVPN client knows the identity of the OpenVPN Server that it is authorized to connect to. This is a very similar architecture to Replify Accelerator Secure Peering.
Crucially, due to the flexibility of Replify Accelerator, you can re-use these OpenVPN certificates to configure secure peering. Indeed the certificates used by both Replify Accelerator and OpenVPN are standard TLS certificates.
Try it Yourself
Ultimately using the OpenVPN PKI infrastructure to secure Replify Accelerator connections provides extra security for your Accelerator solution with less management overhead.
If you want to know more about this, please contact firstname.lastname@example.org for more information.