Any help with VPN termination?

Florin Andrei florin at andrei.myip.org
Thu May 5 03:21:20 UTC 2005


On Wed, 2005-05-04 at 11:26 -0400, Nick Phillips wrote:

> I’m a relative newbie to VPN, and I’ve been asked to investigate
> setting up a VPN for a small office of about 50 people. The network
> architecture is an external firewall (which may be replaced with a
> firewall / VPN appliance, probably Astaro at this point), a DMZ
> containing Linux-webservers (192.168.2.x)

Wow, the web servers are on private addresses? Meaning they're not
accessible from the Web? What's the point then?

> Now my question – where is the best place for the VPN to terminate,
> assuming that VPN users need access to the file servers inside the
> LAN?

There's no One Answer To Rule Them All. It depends.

The simplest and most flexible way: the firewall is also a VPN server.
Therefore, the VPN tunnels are terminated inside the firewall, so pretty
much any addresses can be assigned to them.
Or you can shove a VPN appliance into one of the local network segments.
Or into its own, dedicated "firewall leg", for maximum control.

> With an external firewall / VPN appliance, as far as I understand it,
> the VPN sessions would terminate inside the DMZ, with an IP of
> 192.168.2.something. Providing those VPN users with access to the
> fileservers inside the LAN would require punching a bunch of holes in
> the internal firewall, right? This isn’t something that sounds too
> appealing to me.

Often, the VPN address space is configured so that it's "in the same
network" as the internal addresses.
Some other companies prefer to set them up into a security zone of their
own, thereby controlling acceess from/to LAN and VPN.
Like i said, each situation should be judged on its own.

> But what other solutions are there? Is it preferable to forward the
> VPN connection to be terminated on the inside firewall instead, so
> sessions would terminate inside the LAN with a 192.168.1.something IP?

It's certainly simpler that way, if their security policy allows it.
My opinion: it's ok, technically, unless you have contracts with the NSA
which require the sacrifice of your first born in case of a security
breach. But in that case, it probably won't be you designing the
security architecture, but a pricey contractor. ;-)

> Could anybody with VPN experience suggest the best way to solve this?
> And forgive me if I’m screwy with some of the details of how VPN
> works, I’m still learning up on PPTP / L2TP / IPsec etc etc....

For a small company like that, i threw Fedora onto a PC box, made it a
firewall, then put OpenVPN on it and made it a VPN server as well.
It works so well, in over a year they never had any complaints
whatsoever.

http://openvpn.net/

It's orders of magnitude simpler than IPSec-based VPNs, it's just as
secure, it's very flexible, it has clients for all major OSs. There's
even a Windows GUI. There are very few other applications that are
getting such unanimously raving reviews from everyone who used them.

This is an article i wrote about that deployment, it's outdated (talks
about OpenVPN v1, back when OpenVPN still used to require a separate
port for each client) but it may be useful as a concept.

http://fedoranews.org/contributors/florin_andrei/openvpn/

-- 
Florin Andrei

http://florin.myip.org/




More information about the fedora-list mailing list