Secure your code: OpenVPN in the cloud

I'm not totally wild about OpenVPN. If you asked me which I'd rather expose, SSH or OpenVPN, I'd have to flip a coin. In either case, it's easy to realize the "right" configuration, with a single "bastion" host (hate that word) that provides authorized clients with transparent access to servers.<p>One thing you can say for SSH is that it gets a lot more audit attention than OpenVPN does.<p>In either case, the problem I think most startups should move to solve early is multi-factor authentication. I have friends building things with Yubikeys, and others building things with SMS-based auth; either are better than straight passwords, which are (among other things) a policy nightmare.

We have been using OpenVPN to secure one of our Rackspace servers dedicated to development for the last couple of years. We also have ejabberd running on that box (just talking to the vpn interface). It works great for distributed development and the internal secured jabber IMs are great for transferring sensitive stuff like passwords between remote folks. We also have a persistent conference room for a shared "watercooler".<p>The main problem we have is key management. Does anyone know of a good admin app for generating, storing and revoking keys?

tinc is really good little secret I have found if you want a true mesh P2P secure overlay network. It's open source, has a good community in freenode #tinc, and really easy to install and use, just read the man page <a href="http://linux.die.net/man/5/tinc.conf" rel="nofollow">http://linux.die.net/man/5/tinc.conf</a><p><a href="http://tinc-vpn.org/" rel="nofollow">http://tinc-vpn.org/</a>

we are doing that in our production environment. We use different boxes (1 on US and 2 on EU), they are connected with openvpn to serv our different needs.<p>Our personal development boxes are also connected to each others using OPENVPN and firewalled. All the internal code made for our app is using the VPN ips, and every application is listening on these IP only (not localhost nor 0.0.0.0)<p>(applications are mysql/couchdb/git/apache)<p>That's pretty great !

I was just looking for something like this, literally about 30 seconds before you posted it. Thanks!

My problem with OpenVPN is that you cannot access it from an iPhone.

The diagram has connection lines between all nodes; does this imply N² point-to-point OpenVPN connections, with a subnet for each connection?