LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-15-2011, 04:03 PM   #1
karnac01
LQ Newbie
 
Registered: Dec 2006
Location: Florida
Distribution: Ubuntu and CentOS
Posts: 23

Rep: Reputation: 0
OpenVPN Network


Hello,

I have a feeling I know what the answer to this question is, but need a second opinion. I want to setup an OpenVPN server, but I am not exactly sure where to place it. Does it go on the DMZ side or on the inside?

I was thinking it went like this:

Client VPN <--> WWW <--> Firewall <--> DMZ (OpenVPN) <--(A)

(A)---> Firewall <--> Switch

From the Switch it has access to network. Do I have general idea? If not, can someone please help correct me or clarify. Thanks.

Anthony
 
Old 08-15-2011, 04:28 PM   #2
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,647

Rep: Reputation: 2575Reputation: 2575Reputation: 2575Reputation: 2575Reputation: 2575Reputation: 2575Reputation: 2575Reputation: 2575Reputation: 2575Reputation: 2575Reputation: 2575
Quote:
Originally Posted by karnac01 View Post
Hello,
I have a feeling I know what the answer to this question is, but need a second opinion. I want to setup an OpenVPN server, but I am not exactly sure where to place it. Does it go on the DMZ side or on the inside?

I was thinking it went like this:

Client VPN <--> WWW <--> Firewall <--> DMZ (OpenVPN) <--(A)

(A)---> Firewall <--> Switch

From the Switch it has access to network. Do I have general idea? If not, can someone please help correct me or clarify. Thanks.
Anthony
You can put it wherever you'd like...that's up to you and how you set up your network.

Personally, I'd put it in the DMZ, as you've outlined above.
 
Old 08-15-2011, 04:28 PM   #3
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 327Reputation: 327Reputation: 327Reputation: 327
If you put it in the DMZ, it is outside your private network, on the Internet. Why bother to use a VPN to connect to the Internet?
 
Old 08-16-2011, 09:22 AM   #4
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,647

Rep: Reputation: 2575Reputation: 2575Reputation: 2575Reputation: 2575Reputation: 2575Reputation: 2575Reputation: 2575Reputation: 2575Reputation: 2575Reputation: 2575Reputation: 2575
Quote:
Originally Posted by macemoneta View Post
If you put it in the DMZ, it is outside your private network, on the Internet. Why bother to use a VPN to connect to the Internet?
No, the DMZ is behind the firewall, with that as the first level of protection against the Internet. You can easily control the open ports through the firewall, that are allowed into the VPN server, and from there, through your interior firewall, to the internal LAN.

If the VPN box was outside the DMZ firewall, then it would be directly on the Internet.
 
Old 08-16-2011, 09:51 AM   #5
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 327Reputation: 327Reputation: 327Reputation: 327
A DMZ places an internal host outside the firewall. Opening ports is a NAT function, and is used to provide port level access to hosts behind the firewall.
 
Old 08-16-2011, 09:58 AM   #6
redw0lfx
LQ Newbie
 
Registered: Aug 2011
Distribution: FreeBSD 8, Arch Linux, Debian, CentOS 5.4, CentOS 6, Fedora
Posts: 10

Rep: Reputation: Disabled
You shouldn't need to put the OpenVPN server in the DMZ, as it means you need to make sure only the vpn ports are opened (UDP 1194 and UDP 1195).

Remember, your OpenVPN server will need to allow full access to your internal network, so putting it in the DMZ would, in my opinion, reduce your protection level, as I would consider anything in the DMZ to be separate of the internal LAN.

I think what you want is:

OpenVPN Client -> WWW -> Firewall (Port forward 1194/1195 to OpenVPN server) -> OpenVPN Server (IP should be in local LAN subnet).

You can however, configure OpenVPN Server to use a different subnet for the OpenVPN clients, forcing every packet to go through the OpenVPN server and further filtering it or do NAT.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Use OpenVPN to connect to home network ? slacker_et Linux - Networking 15 04-19-2010 05:07 PM
openvpn cant ping internal network keith2045 Linux - Software 1 07-17-2009 11:04 PM
OpenVPN cannot ping within network jwpat Linux - Networking 3 06-04-2009 06:52 PM
ip mapping in openvpn network ohcarol Linux - Networking 0 01-08-2009 04:43 AM
OpenVPN - Can't ping private network chabam Linux - Networking 2 11-27-2007 07:35 AM


All times are GMT -5. The time now is 07:49 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration