On Wed, 2005-05-04 at 11:26 -0400, Nick Phillips wrote: > Iâm a relative newbie to VPN, and Iâve been asked to investigate > setting up a VPN for a small office of about 50 people. The network > architecture is an external firewall (which may be replaced with a > firewall / VPN appliance, probably Astaro at this point), a DMZ > containing Linux-webservers (192.168.2.x) Wow, the web servers are on private addresses? Meaning they're not accessible from the Web? What's the point then? > Now my question â where is the best place for the VPN to terminate, > assuming that VPN users need access to the file servers inside the > LAN? There's no One Answer To Rule Them All. It depends. The simplest and most flexible way: the firewall is also a VPN server. Therefore, the VPN tunnels are terminated inside the firewall, so pretty much any addresses can be assigned to them. Or you can shove a VPN appliance into one of the local network segments. Or into its own, dedicated "firewall leg", for maximum control. > With an external firewall / VPN appliance, as far as I understand it, > the VPN sessions would terminate inside the DMZ, with an IP of > 192.168.2.something. Providing those VPN users with access to the > fileservers inside the LAN would require punching a bunch of holes in > the internal firewall, right? This isnât something that sounds too > appealing to me. Often, the VPN address space is configured so that it's "in the same network" as the internal addresses. Some other companies prefer to set them up into a security zone of their own, thereby controlling acceess from/to LAN and VPN. Like i said, each situation should be judged on its own. > But what other solutions are there? Is it preferable to forward the > VPN connection to be terminated on the inside firewall instead, so > sessions would terminate inside the LAN with a 192.168.1.something IP? It's certainly simpler that way, if their security policy allows it. My opinion: it's ok, technically, unless you have contracts with the NSA which require the sacrifice of your first born in case of a security breach. But in that case, it probably won't be you designing the security architecture, but a pricey contractor. ;-) > Could anybody with VPN experience suggest the best way to solve this? > And forgive me if Iâm screwy with some of the details of how VPN > works, Iâm still learning up on PPTP / L2TP / IPsec etc etc.... For a small company like that, i threw Fedora onto a PC box, made it a firewall, then put OpenVPN on it and made it a VPN server as well. It works so well, in over a year they never had any complaints whatsoever. http://openvpn.net/ It's orders of magnitude simpler than IPSec-based VPNs, it's just as secure, it's very flexible, it has clients for all major OSs. There's even a Windows GUI. There are very few other applications that are getting such unanimously raving reviews from everyone who used them. This is an article i wrote about that deployment, it's outdated (talks about OpenVPN v1, back when OpenVPN still used to require a separate port for each client) but it may be useful as a concept. http://fedoranews.org/contributors/florin_andrei/openvpn/ -- Florin Andrei http://florin.myip.org/
