Where to install OpenVPN?

upnort · 05-27-2017, 02:07 PM

I want to add OpenVPN to my home LAN. The main purpose is providing secure remote access to the entire LAN rather than a specific machine (SSH). For this project I am not concerned with anonymity, hiding, evading, etc. Just having secure remote access to the LAN -- and learning something about OpenVPN.

The big question: where to install a VPN with respect to a typical home LAN while maintaining security for the LAN? (I have asked similar questions before on LQ, but I was too vague in those threads.)

I suppose the answer is "that depends."

I have a dedicated multi-purpose LAN server. Layout shown below.

Do I use port forwarding on the router and configure OpenVPN directly on my dedicated server? Is this secure?

Or configure OpenVPN on a virtual machine on the existing server? Would I need a second physical NIC to support this?

Or configure OpenVPN on a second physical "mini server" with two NICs? I prefer to avoid the cost of more hardware, but where would the device be installed?

Any thoughts and opinions are welcome.

I am running Slackware 14.2 64-bit on all LAN systems. I want to remain with Slackware for this project. I am aware of the slack docs article.

My LAN:

Code:

Test Computer ------------------------|
                                      |           |VOIP ATA|
Computer ----------------|            |               |
Computer ----------------|            |               |
Computer ----------------|            |               |
Printer -----------------|            |               |
                         |           VLAN             |
LAN Server -----------|Switch|-----|Router|--------|Switch|-----|WISP CPE|
                                     VLAN                       (Static IP)
Guest Computer -----------------------|

As always, thanks!

Side comment: I use SSH and SSHFS through port forwarding on my router. Works fine, but I want a VPN because SSH connects me to a machine whereas a VPN connects me to the network. Connecting to the network solves problems such as shortcuts, bookmarks, VNC, network mapping, and scripts functioning correctly.

Gerard Lally · 05-27-2017, 02:22 PM

Whenever I've done this I've put a *BSD firewall in front of the Slackware server and installed OpenVPN on that. However, you can install OpenVPN on your LAN server; just make sure you bridge it to the internal interface. If you don't have a second NIC, create a TAP interface and bridge the VPN to that instead.

mralk3 · 05-27-2017, 02:27 PM

As you said, it depends. I use a Raspberry Pi 3 Model B for OpenVPN. My Pi is connected to the back of my router and port forwarded. However, you said you do not want to spend money on more hardware. The NIC is only a 10/100 Mbps connection on my Pi, so it may not be great if you have a faster internet connection, it would just create a bottleneck.

Another option is to move your router to DD-WRT or Open-WRT, if it supports it. Then install OpenVPN directly on the router. This isn't the most secure option, but it would allow you to use existing hardware that is well placed on your LAN topology.

The LAN server may be an option as well, but it depends on your NIC and available system resources. A virtual machine using a physical address may yet be your best option.

Just my

upnort · 05-29-2017, 02:06 PM

Quote:

you can install OpenVPN on your LAN server; just make sure you bridge it to the internal interface. If you don't have a second NIC

I have spare NICs. Are you saying I should install a second NIC in the server? Like this:

Code:

Test Computer ------------------------|
                                      |           |VOIP ATA|
Computer ----------------|            |               |
Computer ----------------|            |               |
Computer ----------------|            |               |
Printer -----------------|            |               |
                         |           VLAN             |
LAN Server (eth0)-----|Switch|-----|Router|--------|Switch|-----|WISP CPE|
  (eth1)                 |           VLAN                       (Static IP)
    |                    |            |
    |--------------------|            |
                                      |
Guest Computer -----------------------|

And do I presume then that you mean I should configure OpenVPN to bind to eth1 and bridge that subnet to the LAN subnet on eth0?

Quote:

The NIC is only a 10/100 Mbps connection on my Pi, so it may not be great if you have a faster internet connection

I do not have a "fast" connection. In my diagram, WISP is an acronym of Wireless ISP. On a good day I might see about 7 Mbps down and 3 Mbps up. Connecting 10/100 Mbps NICs between the CPE and LAN switch will make no difference with Internet speed.

Quote:

A virtual machine using a physical address may yet be your best option.

Would you please provide more details? Are you saying install the VM on the server, say another Slackware install, install a second NIC like above, bind the VM to eth1, and configure the VM to bridge the two subnets? Is installing OpenVPN in a VM providing better security or isolation from the LAN?

Thanks.