Well that sure was a mouthful of a title. This post is going to be quite nerdy, I congratulate anyone who makes it all the way through. Please note that this is not any kind of guide. It's more of a discussion about the advantages that a Private Network provides.
Server private networks (SPN) are increasing in popularity lately. Or "RPN" (Real Private Network) as some parts of the industry call them. I'll be using the term SPN, since it's what I know from my workplace.
These are basically exactly what the name implies. They're a private network for servers. Or as the R in RPN tells us, it's a "Real" network. That means it's not virtual. It's not a VPN, it is a physically separate network from the regular one. They are by no means complicated to set up and only have four main requirements:
- Two NICs (Network Interface Card, commonly referred to as just a "Network card") in at least one of the servers
- An extra switch
- At least one NIC in every server connected to this network
- (Optional) At least two NICs in any server that also needs to have direct internet access with its own IP.
Sounds familiar? Indeed, it's a regular LAN like the one you have at home in addition to the existing internet connection. Though you probably use a NAT-based setup at home. It simply got the name SPN/RPN since it's a LAN that only has servers, it also has no route to the public internet without passing through a server. These are becoming very popular for backbone links and private data exchanges between servers, or simply high-traffic jobs that should have a dedicated link. A typical SPN looks like this:
If the people running the SPN feel fancy, there might also be some services exclusively available on the SPN:
It's a very simple concept. If you need to copy something from server A to server B, you'd normally send it over the LAN. This has two main drawbacks:
- There may be other clients connected to the LAN that can sniff traffic
- The link is shared with regular internet traffic. Meaning that if you're running something like a web server. A large transfer will either be slowed down by the web server traffic, or the web server traffic will be affected by the transfer.
An SPN aims to solve both of these issues. They're so new that they currently have no regular name and typically go under the generic term "Private network", they're offered by many companies. Such as DigitalOcean or Vultr. Though I'd like to inform you that DO's offer is sorta fake, it's just a regular LAN where other servers might be able to see you, yet advertised as a "Private network". For now, Online.net is the only host I know of that uses one of the increasingly popular industry terms SPN/RPN.
There is one "problem" with an SPN. Which lies in the S, Server. If you need to transfer files someplace other than a server, you still have to use the regular internet connection, thus affecting other traffic from the server. Most people ignore this, since they rarely actually need all the traffic on their Gbit ports. But some people do, and this is an issue for those people.
The solution is simple. Add a VPN server into the mix, which I did. The VPN gets its own incoming Gbit port, and then a connection to the SPN. Then you configure the VPN server so that clients connect over the regular link to the server, and then you only allow them to communicate from the VPN server onto the SPN. Therefore all client traffic moves over the SPN afterwards, instead of the servers' internet link. If you make certain services like ssh, samba and nfs only listen on the SPN (Thus only making it accessible to VPN clients), it will also strengthen security. See where I'm going with this now? My current setup looks like this:
The VPN works as a basic security layer, kinda like two-factor authentication. Where depending on your configuration, you can't ssh into any of the servers unless you're connected to the VPN. The VPN will also encrypt everything over the tunnel, even traffic that normally isn't encrypted, such as HTTP or FTP. In some ways it's also convenient. When connected to the VPN, you don't have to use public IP addresses or domain names for all your servers which can be very different from one another. You can access them over IPs such as 10.10.0.5 or 10.10.0.10, again, depending on your configuration. (Keep in mind that if the VPN's IP subnet collides with the IP range on the client's LAN, you've opened an entirely different can of worms)
It's quite simple to set up a VPN for this actually. It's just a regular VPN server, only difference is that instead of forwarding back out on it's regular internet NIC, it only allows network traffic to leave onto the SPN. You might also want to turn off
push "redirect-gateway def1" so that it doesn't force all the traffic to go over the VPN. This will (in theory) allow clients to access the internet with no difference, without touching the VPN for regular internet access.