Project — IT Infrastructure
VPN Infrastructure
Deploy an OpenVPN server at the Santa Ana datacenter to provide secure remote access for IT staff, administrators, and privileged management traffic.
Owner: Anthony Trujillo, Regional Director of IT South · Status: Planning
Why We're Doing This
Remote management traffic — switches, firewalls, servers, IPMI — currently relies on direct internet exposure or case-by-case firewall rules. That's a security liability and an operational inconsistency. A centralized VPN gives IT a clean, auditable path into facility infrastructure without punching additional holes in perimeter firewalls.
OpenVPN Community Edition on a self-managed server at the COLO gives us full control over certificates, user accounts, and split-tunnel routing without per-seat licensing costs. The server sits inside the existing SD-WAN fabric, so VPN clients effectively land on-network at the datacenter and can reach all facilities via the established VCG mesh.
Technical Specification
| Component | Decision |
|---|---|
| Server location | Santa Ana COLO (existing rack) |
| Software | OpenVPN Community Edition (self-hosted) |
| OS | Ubuntu Server 24.04 LTS (VM or bare metal TBD) |
| Protocol | UDP 1194 (primary), TCP 443 fallback |
| PKI | Easy-RSA 3 — internal CA, per-user certs, no shared keys |
| Auth | Certificate + optional OTP (Google Authenticator plugin) |
| Routing | Split-tunnel — management subnets only (no default gateway override) |
| DNS | Push internal DNS resolver to VPN clients for .nacsi.local resolution |
| Client platforms | Windows (OpenVPN GUI), macOS (Tunnelblick), iOS/Android (OpenVPN Connect) |
| Firewall integration | FortiGate policy — allow VPN subnet to management VLANs, log all flows |
| Monitoring | Connected clients log + status socket; future NinjaOne or Graylog integration |
Deployment Phases
-
1Server ProvisioningProvision Ubuntu 24.04 VM (or physical) at the COLO. Assign static IP on the management VLAN. Configure hostname, SSH hardening, firewall (UFW), and automatic security updates.
-
2OpenVPN & Easy-RSA SetupInstall OpenVPN Community and Easy-RSA 3. Initialize PKI, generate CA certificate, server cert/key, and DH parameters. Configure server.conf with split-tunnel routes for management subnets.
-
3Firewall & Network IntegrationOpen UDP 1194 (and TCP 443 fallback) inbound on FortiGate for the COLO public IP. Create FortiGate policy permitting the VPN tunnel subnet (e.g. 10.8.0.0/24) to management VLANs across all facilities. Enable NAT masquerade on the VPN server for return traffic.
-
4Certificate & User ProvisioningGenerate per-user client certificates using Easy-RSA. Package .ovpn profile (inline cert embed) for each IT staff member. Document revocation procedure for offboarding. Optionally layer TOTP with openvpn-otp plugin.
-
5Client Rollout & TestingDeploy to IT team first — verify reachability to facility switches, FortiGate management interfaces, and IPMI/iLO consoles. Test split-tunnel behavior (internet traffic must not route through VPN). Document troubleshooting playbook.
-
6Documentation & RunbookWrite certificate lifecycle doc (renew, revoke, re-issue). Document server config, network diagram update, and emergency access procedure if VPN server is unreachable. Store configs in version control.
Workstreams
Server Build
Provision and harden the Ubuntu server at the COLO. OpenVPN install, PKI init, server.conf, systemd service, UFW rules.
Planned
PKI & Certificate Management
Easy-RSA 3 CA setup. Per-user cert generation, renewal schedule, and revocation workflow. No shared credentials.
Planned
FortiGate Policy
Inbound NAT for VPN port, tunnel subnet → management VLAN policies, flow logging. Coordinate with existing SD-WAN rules.
Planned
Client Distribution
Package .ovpn profiles per user. Rollout to Windows, macOS, and mobile. Document install and connect procedure for non-IT staff who may need access.
Planned
Monitoring & Logging
Tail /var/log/openvpn/status.log. Document connected client visibility. Flag for future SIEM or NinjaOne integration.
Planned
Network Topology Update
Add VPN server node to the Network Topology Map. Update subnet documentation to include the VPN tunnel range.
Shared — Network Mapping
Open Questions
VM or Bare Metal?
Do we have available VM capacity at the COLO on an existing hypervisor, or does this need dedicated hardware? A small VM (2 vCPU, 2GB RAM) is more than sufficient for this load.
Needs Decision
MFA Requirement
Certificate-only auth is strong but adding TOTP (openvpn-otp) raises the bar significantly. Decision depends on whether IT-only or broader access is planned.
Needs Decision
VPN Subnet Range
Need to confirm 10.8.0.0/24 doesn't conflict with existing facility or COLO subnets. Pull subnet map from network topology before finalizing.
Needs Decision
Who Gets Access?
IT team only, or extended to any administrator who needs remote access to facility systems? Scope determines cert provisioning workload and policy complexity.
Needs Decision