Any help with VPN termination?
Florin Andrei
florin at andrei.myip.org
Thu May 5 03:21:20 UTC 2005
On Wed, 2005-05-04 at 11:26 -0400, Nick Phillips wrote:
> I’m a relative newbie to VPN, and I’ve been asked to investigate
> setting up a VPN for a small office of about 50 people. The network
> architecture is an external firewall (which may be replaced with a
> firewall / VPN appliance, probably Astaro at this point), a DMZ
> containing Linux-webservers (192.168.2.x)
Wow, the web servers are on private addresses? Meaning they're not
accessible from the Web? What's the point then?
> Now my question – where is the best place for the VPN to terminate,
> assuming that VPN users need access to the file servers inside the
> LAN?
There's no One Answer To Rule Them All. It depends.
The simplest and most flexible way: the firewall is also a VPN server.
Therefore, the VPN tunnels are terminated inside the firewall, so pretty
much any addresses can be assigned to them.
Or you can shove a VPN appliance into one of the local network segments.
Or into its own, dedicated "firewall leg", for maximum control.
> With an external firewall / VPN appliance, as far as I understand it,
> the VPN sessions would terminate inside the DMZ, with an IP of
> 192.168.2.something. Providing those VPN users with access to the
> fileservers inside the LAN would require punching a bunch of holes in
> the internal firewall, right? This isn’t something that sounds too
> appealing to me.
Often, the VPN address space is configured so that it's "in the same
network" as the internal addresses.
Some other companies prefer to set them up into a security zone of their
own, thereby controlling acceess from/to LAN and VPN.
Like i said, each situation should be judged on its own.
> But what other solutions are there? Is it preferable to forward the
> VPN connection to be terminated on the inside firewall instead, so
> sessions would terminate inside the LAN with a 192.168.1.something IP?
It's certainly simpler that way, if their security policy allows it.
My opinion: it's ok, technically, unless you have contracts with the NSA
which require the sacrifice of your first born in case of a security
breach. But in that case, it probably won't be you designing the
security architecture, but a pricey contractor. ;-)
> Could anybody with VPN experience suggest the best way to solve this?
> And forgive me if I’m screwy with some of the details of how VPN
> works, I’m still learning up on PPTP / L2TP / IPsec etc etc....
For a small company like that, i threw Fedora onto a PC box, made it a
firewall, then put OpenVPN on it and made it a VPN server as well.
It works so well, in over a year they never had any complaints
whatsoever.
http://openvpn.net/
It's orders of magnitude simpler than IPSec-based VPNs, it's just as
secure, it's very flexible, it has clients for all major OSs. There's
even a Windows GUI. There are very few other applications that are
getting such unanimously raving reviews from everyone who used them.
This is an article i wrote about that deployment, it's outdated (talks
about OpenVPN v1, back when OpenVPN still used to require a separate
port for each client) but it may be useful as a concept.
http://fedoranews.org/contributors/florin_andrei/openvpn/
--
Florin Andrei
http://florin.myip.org/
More information about the fedora-list
mailing list