This is more of a security related question then a software related question hence the post here. Within the documentation of example OpenVPN setups there is a setup that shows an OpenVPN Server with two network interfaces. One interfaces is plugged into the public internet network and the second interface is plugged into the private network.

Normally I assume that it would be best to place the OpenVPN system inside the network behind the router and firewall and open only the ports needed on the router to allow access to the OpenVPN system. All other router ports would be closed. This is the first example they show.

To see what I am talking about see page(s) 6-7 here -> http://www.openvpn.net/images/pdf/Op...uide_Rev_1.pdf

If one were to use the two interface public facing setup, when would that setup best be justified? I guess if you didn't want to open any ports on the router/firewall then this could be justified but then you have to lock down this public system individually instead of having it protected by the network firewall.

I would never put an OpenVPN server out in the open. I would put it in a DMZ behind a Firewall.

I think the picture is misleading. It seems to leave out firewalls, routers, switches, cables or any hardware, and shows only an overview of what should happen.

I think it is *implied* that there should be a firewall behind the grey cloud.

This is also supported by the next few paragraphs in the documentation, as it mentions a border firewall that OpenVPN would be behind, and which ports would need to be open and forwarded.

I believe the reason behind this misleading graphic, is that it is in the "Overview" section. Overview sections are general, and leave out minute details. In the very next section, a more fine grained explanation of the openvpn architecture is explained and the graphic uses a firewall. So, I would ignore this "Overview" section, and concentrate on the 2.2.1 section of how things should be done.

1 members found this post helpful.