Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a feeling I know what the answer to this question is, but need a second opinion. I want to setup an OpenVPN server, but I am not exactly sure where to place it. Does it go on the DMZ side or on the inside?
Hello,
I have a feeling I know what the answer to this question is, but need a second opinion. I want to setup an OpenVPN server, but I am not exactly sure where to place it. Does it go on the DMZ side or on the inside?
If you put it in the DMZ, it is outside your private network, on the Internet. Why bother to use a VPN to connect to the Internet?
No, the DMZ is behind the firewall, with that as the first level of protection against the Internet. You can easily control the open ports through the firewall, that are allowed into the VPN server, and from there, through your interior firewall, to the internal LAN.
If the VPN box was outside the DMZ firewall, then it would be directly on the Internet.
A DMZ places an internal host outside the firewall. Opening ports is a NAT function, and is used to provide port level access to hosts behind the firewall.
You shouldn't need to put the OpenVPN server in the DMZ, as it means you need to make sure only the vpn ports are opened (UDP 1194 and UDP 1195).
Remember, your OpenVPN server will need to allow full access to your internal network, so putting it in the DMZ would, in my opinion, reduce your protection level, as I would consider anything in the DMZ to be separate of the internal LAN.
I think what you want is:
OpenVPN Client -> WWW -> Firewall (Port forward 1194/1195 to OpenVPN server) -> OpenVPN Server (IP should be in local LAN subnet).
You can however, configure OpenVPN Server to use a different subnet for the OpenVPN clients, forcing every packet to go through the OpenVPN server and further filtering it or do NAT.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.