Is duplicating an OpenVPN server secure?

  • I read this tutorial to create an OpenVPN server, it worked perfectly and was configured correctly, using a dedicated server to create the certificates it requires.

    Now I want to create a new OpenVPN server, with a different IP to access other services and to be used by other users.

    Is it safe to just create a copy image of the original server with OpenVPN, create a new server using the copy image of the original server, delete existing users and change the connection IP in the ovpn files?

    Or is it better to create a new server and go through all the steps again to install and configure OpenVPN?

    My fear is that creating a new server based on a copy, this could bring problems that allow users to access the other server or some vulnerability.

  • Since you now have a series of commands that can be scripted, I don't see the point of copying a server image and purging some files. Running a script would take less effort (and time probably, depending on the size of the image).

    And maybe you should consider using Ansible to provision your servers, if you aren't already. There seems to exist at least one third-party plugin here - disclaimer: not tested, and always audit third-party code. Otherwise, another tutorial than can be helpful: How to Automate OpenVPN Server Deployment and User Management

    Ansible would also be useful not only to provision new machines but also keep the existing ones up to date, install new software and perform updates in parallel with minimal intervention on your side.

    Basically you need to perform a number of things:

    • apt to install some packages
    • copy some files, some of which may be templates in which you replace certain variables (Ansible uses the Jinja templating engine that is also found in Flask for example)
    • run a number of bash commands, most of which need not be run interactively

    Ansible can do all that.

    If you were to copy an image from another machine there is a slight risk of misconfiguration as you could forget some settings here and there. The server may still run but not in an optimal manner (example: errors in the DNS configuration). Also, there may be sensitive files lying around such as private keys like those used for passwordless SSH etc, that aren't harmful until some actually hacks into your server and becomes in a position to further escalate the attack and reach other machines under your control.

    Also, the "template" server to be cloned has its own settings, for instance the network settings, host name, IP addresses, gateway etc, there is quite a lot of stuff that you would have to change, and very likely you will always forget something. Don't think it's worth the hassle.

    PS: some webhosts offer a number of ready to use OS images (usually Linux) to install a new server in just a few clicks, so it can take literally no more than a few minutes to have a system up and running. Than all you have to do is update it, and customize it to your needs.

Log in to reply

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2