I’m a relative newbie to VPN, and I’ve been asked to investigate setting up a VPN for a small office of about 50 people. The network architecture is an external firewall (which may be replaced with a firewall / VPN appliance, probably Astaro at this point), a DMZ containing Linux-webservers (192.168.2.x), and an internal Linux firewall protecting the LAN (192.168.1.x), composed of Windows XP machines, and also the file/mail servers (which will be switched to WIndows Server as per management’s request).
Now my question – where is the best place for the VPN to terminate, assuming that VPN users need access to the file servers inside the LAN? With an external firewall / VPN appliance, as far as I understand it, the VPN sessions would terminate inside the DMZ, with an IP of 192.168.2.something. Providing those VPN users with access to the fileservers inside the LAN would require punching a bunch of holes in the internal firewall, right? This isn’t something that sounds too appealing to me. But what other solutions are there? Is it preferable to forward the VPN connection to be terminated on the inside firewall instead, so sessions would terminate inside the LAN with a 192.168.1.something IP?
Could anybody with VPN experience suggest the best way to solve this? And forgive me if I’m screwy with some of the details of how VPN works, I’m still learning up on PPTP / L2TP / IPsec etc etc....