I’m looking into hosting my own OpenVPN server (mainly for educational purposes, but I do envision wanting to connect to my VPN from outside my home).
Digital Ocean guide suggests setting up a separate, standalone machine as the certificate authority (CA), which is also recommended in the OpenVPN hardening suggestions.
While I’m sure the completely separate, completely offline machine is the most secure, I’m wondering whether running the CA in one LXC container and the OpenVPN server in a separate LXC container, though both on the same physical machine, would at least be better than running them both outside of containers on the same physical machine.
Does anyone have any thoughts or tips on this?
The quote of interest on the OpenVPN Hardening Security page:
Keep the root key (
ca.key) on a standalone machine without a network connection
One of the security benefits of using an X509 PKI (as OpenVPN does) is that the root CA key (
ca.key) need not be present on the OpenVPN server machine. In a high security environment, you might want to specially designate a machine for key signing purposes, keep the machine well-protected physically, and disconnect it from all networks. Floppy disks can be used to move key files back and forth, as necessary. Such measures make it extremely difficult for an attacker to steal the root key, short of physical theft of the key signing machine.
Based on this information, it depends on your threat model. Is your adversary able to escalate privileges and escape the OpenVPN server? If so, I suggest reconsidering your idea.
Better, yes. Good enough? It depends. For most individual users, likely it is more than enough, but it does still depend on each individuals threat model.