Scenario: hosted machine (typically a VPS) serving wiki, svn, git, forums, email lists (eg: GNU mailman), Bugzilla (etc) privately to < 20 people. People not on team not allowed access. Seeking VPN-restricted access to said server. Have good user experience with OpenVPN-based servers/clients, but have yet to server-admin such systems. Otherwise, experienced Linux sysadmin. Target system: Ubuntu, probably 12.04.
Seeking to put an OpenVPN process on above server to "protect" all the above-mentioned services, enabling only OpenVPN-authorized clients/processes to access above services. (Can easily acquire additional IP address(es) as needed for this setup.)
Option: if absolutely needed, can employ an additional, dedicated, "VPN server" VPS simply to be my VPN server "front end." But prefer to have all server processes (VPN server plus other server apps) all running on same machine, if possible. Will consider further if dedicated-VPN-machine setup enables 1. easier installation/administration, 2. better/easier end-user experience, and/or 3. makes system significantly more secure.
Any of above feasible?
The main intention: create a VPN from purely-hosted resources, and not spend all the effort to make a non-VPN, secure site--which typically means "SSL wrapping" + all the continual webserver-application-update management. Let the VPN server deal with access security, and spend list time pushing said security "down" in the other apps/Apache.
Sure. You can do this in a couple of ways:
Bind all the services you care about to the OpenVPN interface, so that they are only listening on, say, 10.8.0.1. Make sure that OpenVPN is already running, otherwise services will not be able to bind correctly to the interface.
Use iptables to allow only connections coming from the OpenVPN network, say,
iptables -A FORWARD -s 10.8.0.0/24 -j ALLOW ; iptables -A FORWARD -j DROP
with whatever extra rules you'll need to allow the OpenVPN traffic in the first place, and some out-of-VPN communications such as ssh.Do you have any more specific scenarios in mind?
Attempting: http://library.linode.com/networking/openvpn
Related discussion.