[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OpenVPN

Hi, Ales.

On Thursday, 29 October 2009 06:43:31 +1100,
Alex Samad wrote:

> > I was making a first attempt to establish a VPN between my house and
> > the office. The scenery from the side of my house is the following
> > one:
> >                                                           ________
> > +----------+     +-----------+     +----------+      ____/        \___
> > | OpenVPN  |_____| GNU/Linux |_____| ADSL     |_____/     Internet    \
> > | server   |     | Firewall  |     | Router   |     \____         ____/
> > +----------+     +-----------+     +----------+          \_______/
> > 
> > Local network:
> > VPN network:
> any particular reason not to run the vpn server on the firewall !  it
> is already the default gw for your local lan and it would make routing
> easier.

We can run OpenVPN on ours firewall if we like (or need), but I think
this is not encouraged. Firewalls should be limited-purpose systems with
as little complexity as possible. Running OpenVPN on your firewall
complicates the firewall, and presents a possible attack vector for
malicious activity. Consider what happens if your firewall host is
compromised, and it's running OpenVPN: the attacker gains access to your
VPN configuration, and could conceivably construct a man-in-the-middle
attack against all your VPN clients.

> what you have below is the a sympton of the routing problem.

According to I could see, was necessary to have enable IP forwarding
and masquerading in host of OVPN server.

> also any reason you choose tun over tap - I usually default to tap.

Besides being the default configuration, I used routing by its
efficiency and scalability.

Thanks for your reply.

Fingerprint: BFB3 08D6 B4D1 31B2 72B9  29CE 6696 BF1B 14E6 1D37
Powered by Debian GNU/Linux Squeeze - Linux user #188.598

Attachment: signature.asc
Description: Digital signature

Reply to: