VPN/IP Routing Advice Needed on WAN/LAN config.

Hello, I hope there is someone here who can help - I've learned a lot reading here for sometime now.

My home network seems to be growing and with a public facing website on one of the machines have some WAN traffic on my local network too and so am, obviously, concerned about security. I'd like to be able to access all my network when I'm away (or at work) and so there is a trade-off to be had, I guess, between tightening things down and letting myself in.

I used to do this using the built-in VPN service on my router, but as Cisco/Linksys don't offer a Linux port of QuickVPN ( linksys.custhelp.com/cgi-bin/linksys.cfg...mp;lid=8801236168B03 ) and I've now got rid of Windows from my laptop this is no longer an option. So my plan is to set up my own VPN server. Sadly (despite Linksys being owned by Cisco) the Cisco VPN client software won't talk to my Linksys router.

My network looks something like this (router doing VPN auth):

[code:1]
- WAN - Router (10.X.Y.2) -|- Server 1 (10.X.Y.3) - Public WWW Server
|- Server 2 (10.X.Y.4) - Fetchmail, Dovecot, NAS
|- Desktop (10.X.Y.5) - Desktop
|- etc (10.X.Y.etc) - etc
[/code:1]

My first thought was something like this:

[code:1]
- WAN - Router (10.X.Y.2) -|- Server 1 (10.X.Y.3) - Public WWW Server, OpenVPN
|- Server 2 (10.X.Y.4) - Fetchmail, Dovecot, NAS
|- Desktop (10.X.Y.5) - Desktop
|- etc (10.X.Y.etc) - etc
[/code:1]

My intention is to set the router to block all incoming requests on all ports except :80 which will forward to 10.X.Y.3 and the OpenVPN port which will also forward to 10.X.Y.3 (expanding any further public access services on that one machine).

Am I right in my assumption that this will protect the rest of my network from outside access but that I will be able to access the other boxes via VPN? Or do I need to do something like this (with 2 NICs in 10.X.Y.3 and 2 diff subnets):

[code:1]
- WAN - Router (10.X.Y.2) -|- Server 1 NIC 1 (10.X.Y.3) - Public WWW Server, OpenVPN
Server 1 NIC 2 (10.A.B.3) -|- Router 2 (10.A.B.2) -|
|- Server 2 (10.A.B.4) - Fetchmail, Dovecot, NAS
|- Desktop (10.A.B.5) - Desktop
|- etc (10.A.B.etc) - etc
[/code:1]

Are there any other precautions I should take. Particularly on Server 1? to ensure that it is only accepting traffic from the WAN to port 80 and the openVPN port?

I'm guessing I'm going to have to do some fancy routing on Server 1 to get the top model to work, and also maybe with the bottom one if I need Server 1 to connect to Server 2 (or anything on Router 2 to be able to connect to the WAN!)

IP routing has never been my strong point, I guess this is obvious. Any ideas would be much appreciated...

(All the IPs above are based on a subnet mask of 255.255.255.0)

Thanks in advance.

Hi there,

First of all, what you have highlighted is ok as a solution. Your OpenVPN service should work ok to provide VPN Access into your local network, you needent worry about routing as you will be seen as being on your Internal Network. I am not familiar with the OpenVPN Service but you will need to check what ports are required, if its using standard PPTP or IPSec, then the router will need to be configured for VPN Passthrough, if its going to be using SSLVPN type technology then just port 443 will be fine.

If you are only accepting incoming traffic on port 80 to your Webserver and VPN to the Webserver then your main attack Vector is going to be your Webserver over HTTP. Now a days, this is the main point of intrusion in vulnerabilities in Web services. You will need to ensure that the code is written well so there are no vulnerabilities, if this is something you have written then you will need to read up on common mistakes. If its an open source/bought package you are running then ensure you keep it up to date and harden the web services on the server.

If this webserver is compromised then you risk someone getting onto the other servers/machines on the lan, if the router supports a DMZ, then if its compromised they cannot get to the LAN. This will however require you to move the OpenVPN service to another server in the LAN to give you access to the other resources.

Cheers

Wayne

Hi Wayne,

Thanks for your very comprehensive reply (and apologies for not posting this sooner - personal circumstances intervened).

My router does support a DMZ but I'm not sure my webserver is hard enough to "stand alone" there! I have a lot to learn yet about security.

I'd just like to clarify one point, should the VPN server sit in the same logical and physical network as the devices one is trying to access from it? Or should it sit between 2 networks (like a bridge) with 2 NICs each on a different logical network?

Scenario 1:
[code:1]
WAN->Router1->VPN Server->Router2->M/C1
->M/C2 etc
[/code:1]
or scenario 2:
[code:1]
WAN->Router->VPN Server
->M/C1
->M/C2
[/code:1]

Apologies for the very "noobish" question, but this has always confused me...

No-one?