# openVPN - how many clients?



## stim (Dec 4, 2013)

Hi,

I usually don't bother with christmas presents (bah humbug!),

This year I'm feeling more humane and I'm thinking to set-up a few regional VPNs and allow a select few friends and family to use them.  

Max 10 users total, mostly light and legal use. Maybe the odd BBC iplayer or Hulu stream.

Questions:

1. Would a small 256mb VPS handle such duties comfortably?

2. Would this piss-off my provider?

3.Can I use the same key for all clients and is this ill-advised?

Any advice appreciated! 

Cheers,


----------



## drmike (Dec 4, 2013)

What an idea!   Good one for many reasons.

1. Would 256MB suffice?  Not sure... I suspect it would since OpenVPN doesn't have extreme needs other than CPU per se.

2. Provider --- all they are going to see is bandwidth use... Unless your users are up to bad stuff and complaints roll in.

3.  Bad idea.

Hopefully others who are hardcore users of OpenVPN will step in to help make this happen for you.


----------



## stim (Dec 4, 2013)

Thanks 



drmike said:


> 3.  Bad idea.


I want to understand why. I know it is possible. If my users are not tech-savvie (my Mum e.g.) and there's no chance they will be up to mischief.

Other than that, does it present an external security risk, or is there a risk of 'crosstalk' or server crashes?

Thanks again


----------



## HalfEatenPie (Dec 4, 2013)

1. A simple 256MB should be perfectly fine.

2. As long as you don't get any complaints or go over your bandwidth usage or constantly hog the pipe no-one should complain

3. Bad bad idea.  It's a security risk.  Think of it this way, you give your house keys to your family and friends.  They're all the same copy/files/etc.  But if one person loses it or leaks it onto the internet then everyone's compromised.  Just giving a dedicated one per person is probably best practice.  Also, if that does happen then you don't want to go back to everyone (family, friends, etc.) and set it all up again, or give the non-tech-savvy person instructions on how to replace their certificate again.  Seriously just replacing one certificate instead of redistributing the new certificate will save you a ton of time.  

Also I don't remember exactly so someone else please chime in, but if I remember (assuming you're just doing the basic OpenVPN setup without logins and such, the keys are the login credentials) if one key = 1 user then it'll kick whoever's using the key off if someone else logins with the same credentials.  (Again, this is assuming you're using the default settings and whatnot for the OpenVPN server).


----------



## peterw (Dec 4, 2013)

stim said:


> Hi,
> 
> I usually don't bother with christmas presents (bah humbug!),
> 
> ...


1. Running a VPN server for 8 people on a 64MB vps

2. If they all try to watch hulu -> yes

3. Bad idea. It is very simple to generate one key per person.


----------



## Ruchirablog (Dec 4, 2013)

256MB is plenty for openvpn


----------



## drmike (Dec 4, 2013)

So to those of you that have done something like this, have doc/howto for accomplishing this? Would make a superb write up and help the seasonal giving around here.


----------



## wlanboy (Dec 4, 2013)

drmike said:


> So to those of you that have done something like this, have doc/howto for accomplishing this? Would make a superb write up and help the seasonal giving around here.


You mean something like that:

Running and troubleshooting an OpenVPN server?


----------



## HalfEatenPie (Dec 4, 2013)

Well, probably the most important part is determining if it's OpenVZ or KVM for the iptables rules, which I believe wlanboy already took care of!

Yeah his tutorial is awesome.


----------



## johnlth93 (Dec 4, 2013)

HalfEatenPie said:


> 1. A simple 256MB should be perfectly fine.
> 
> 
> 2. As long as you don't get any complaints or go over your bandwidth usage or constantly hog the pipe no-one should complain
> ...


you can have same cert to login if you enable duplicate-cn in server side but definitely bad idea on security wise.


----------



## HalfEatenPie (Dec 4, 2013)

johnlth93 said:


> you can have same cert to login if you enable duplicate-cn in server side but definitely bad idea on security wise.


Hm, I didn't look to into it but didn't know that.  Thanks!

But yeah, overall just bad bad idea.


----------



## wlanboy (Dec 4, 2013)

HalfEatenPie said:


> Well, probably the most important part is determining if it's OpenVZ or KVM for the iptables rules, which I believe wlanboy already took care of!
> 
> 
> Yeah his tutorial is awesome.


Within the tutorial another tutorial about the iptables rules is linked too to cover this.


----------



## stim (Dec 5, 2013)

Guys, 

Thank you all for the solid advice -it's appreciated. The case for separate client keys has been elegantly made.

I shall proceed with the plan.

Cheers


----------

