OpenVPN to VLAN

Started by guest39556, October 22, 2023, 05:34:53 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 22, 2023, 05:34:53 AM
I am looking to set up a VPN server that will allow me to access my VLAN for my server from my local network (i.e. I want to be able to use the VPN only when im on my local network). Is there a guide or process for setting this up?
October 22, 2023, 08:28:53 AM #1
You need to unpick your requirements:

"allow me" - is a firewall rule which is on layer 3 i.e. between IP addresses/subnets.
"my VLAN for my server" - is a layer 2 separation device which usually matches a subnet.
"my local network" - is a group of subnets or a single subnet.
"a VPN server" - indicates yet another subnet in the form of a tunnel.

Subnets communicate with each other through routers:

LAN subnet -> OPNsense router/firewall -> VPN subnet -> VPN Server -> Server VLAN subnet

The first bit is out of the box and therefore easy. The second leg is a VPN tunnel to your VPN server. The rest is unclear. Are you running the VPN from "my server" or is there a device in between? If so, what is that device?

Draw a diagram for yourself and add VLAN numbers, VPN names and IP subnets. Ensure that there are routes from the client to the server and from the server back to the client. Add an attacker to the diagram as a second client that should not have access. Formulate firewall rules to allow one and deny the other client.

If you can't work that out, share the diagram here with your thoughts and indicate where you get stuck.

Bart...
October 22, 2023, 10:26:16 PM #2
Im not sure I understand what youre saying. I have a device on my LAN (192.168.1.0/24) that I want to talk to another device on my VLAN (192.168.150.0). I dont want this line to be open all the time, which is why I assumed setting up a local VPN would be an option. Is this the right approach?
October 23, 2023, 09:14:43 AM #3
If you don't trust yourself and your local, yes a VPN may be an option. But actually, you'd have to set up a server on the target host itself.

But jokes aside: You just may want to add a pass rule on the LAN interface to allow traffic with destination in the VLAN network for the intended traffic. To limit its usage you might switch on/off your rules manually or on a schedule.
October 25, 2023, 08:14:43 PM #4
I may consider doing that for the server host, I would like to keep this machine entirely isolated from my LAN since it will be hosting public facing web services. Thanks for the idea!
October 25, 2023, 08:19:15 PM #5
I permit public facing servers access to the Internet but not to my internal LAN or other local networks.
I permit my internal LAN full access to these public facing servers.

Why not? Which problems do you expect or which attack vector? I'm "old school". I believe in zones with different levels of trust and a strict order. But why would I allow my desktop system access to "the server" via SSH only at certain times or only via VPN?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 25, 2023, 08:43:38 PM #6
wouldnt having the LAN be able to access the VLAN nullify the point of segregating the networks? maybe im misunderstanding but if the vlan and lan can talk to each other, is there any separation?
October 25, 2023, 08:47:41 PM #7
The LAN is trustworthy. The server network is not. So the server network can never initiate a connection to the LAN. But the trustworthy LAN can initiate a connection to the server network any time.

Firewall policies are uni-directional in most cases.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 26, 2023, 08:24:27 AM #8
Quote from: anonymous4519576 on October 25, 2023, 08:43:38 PM
wouldnt having the LAN be able to access the VLAN nullify the point of segregating the networks? maybe im misunderstanding but if the vlan and lan can talk to each other, is there any separation?

The reason behind network segmentation is to reduce the attack surface dramatically: You allow only those services that are supposed to happen. Yes, an attacker having credentials for your SSH or is able to explot a security issue is not withold by the firewall. However: An attempt to access e.g. SMB/CIFS shares is rendered impossible.

That way you only need to make sure SSH services are secure and safe (up-to-date, adequate credentials' strength, matching certificates, allowed users only, ...)

No VPN will help you with that.

Always keep in mind that a

firewall / VPN / (arbitrary security measure with or without intelligence) / correct service configuration /  application layer gateway / ids / ips / dns bl / ....

can only be a puzzle piece of your IT's security and should match your requirements.
Print
Go Up Pages1
User actions