Hello,

I have a feeling I know what the answer to this question is, but need a second opinion. I want to setup an OpenVPN server, but I am not exactly sure where to place it. Does it go on the DMZ side or on the inside?

I was thinking it went like this:

Client VPN <--> WWW <--> Firewall <--> DMZ (OpenVPN) <--(A)

(A)---> Firewall <--> Switch

From the Switch it has access to network. Do I have general idea? If not, can someone please help correct me or clarify. Thanks.

Anthony

You can put it wherever you'd like...that's up to you and how you set up your network.

Personally, I'd put it in the DMZ, as you've outlined above.

If you put it in the DMZ, it is outside your private network, on the Internet. Why bother to use a VPN to connect to the Internet?

No, the DMZ is behind the firewall, with that as the first level of protection against the Internet. You can easily control the open ports through the firewall, that are allowed into the VPN server, and from there, through your interior firewall, to the internal LAN.

If the VPN box was outside the DMZ firewall, then it would be directly on the Internet.

A DMZ places an internal host outside the firewall. Opening ports is a NAT function, and is used to provide port level access to hosts behind the firewall.

You shouldn't need to put the OpenVPN server in the DMZ, as it means you need to make sure only the vpn ports are opened (UDP 1194 and UDP 1195).

Remember, your OpenVPN server will need to allow full access to your internal network, so putting it in the DMZ would, in my opinion, reduce your protection level, as I would consider anything in the DMZ to be separate of the internal LAN.

I think what you want is:

OpenVPN Client -> WWW -> Firewall (Port forward 1194/1195 to OpenVPN server) -> OpenVPN Server (IP should be in local LAN subnet).

You can however, configure OpenVPN Server to use a different subnet for the OpenVPN clients, forcing every packet to go through the OpenVPN server and further filtering it or do NAT.