From: Mike M. <mwm...@mi...> - 2006-05-27 19:26:12
|
Ok, I've got OpenVPN set up and mostly working the way I want (I can't seem to get DNS configured properly on both ends at once, but that's more an OSX issue than an OpenVPN issue). Now I'd like to bring it in line with network security policies. The network security policy is pretty simple: we don't allow things from outside the DMZ inside the DMZ. We don't trust things in the DMZ any more than we have to. Right now, things are configured to allow connections from outside the DMZ to the OpenVPN server inside the DMZ, in violation of the policy. The OpenVPN clients all live inside the DMZ when they are on site, and are trusted there. I wanted to make being connected via the VPN as transparent as possible, so making the clients show up inside the DMZ was the obvious solution. To put things back in line with the policy, I could move the OpenVPN server into the DMZ. But the clients want to access things inside the DMZ that the things currently in the DMZ don't need access to - and that I'd really rather not make accessable from the DMZ. Putting the OpenVPN server in the DMZ and having it have a VPN into the DMZ isn't obviously acceptable: hosts in the DMZ aren't trusted, so giving one access to the internal LAN is a bad thing. Normally, when some service needs to terminate inside the DMZ, we provide a relay in the DMZ for that service. So to attack via that service, the attacker has to break into the relay box, and only then can they attack the internal server that trusts that service from the relay box. I'd like to do this with OpenVPN - but I'd like more than just a simple packet forwarder, as that's not any better than another router. I'm not sure how such a thing should behave, but the goal is that anyone attacking via the OpenVPN server should have to break into two systems to gain access to the internal LAN. Clients should wind up with the same access as they get now. Having an extra step in the middle that the client has to go through is perfectly acceptable. Googling for "openvpn relay" doesn't turn up anything - mostly discussions of OpenVPN relaying DHCP requests (or not, as the case may be). Thanks, <mike -- Mike Meyer <mw...@mi...> http://www.mired.org/consulting.html Independent Network/Unix/Perforce consultant, email for more information. |