Lee H. Marzke on 21 Sep 2012 12:50:00 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] VPN design for home use


There is no way your going to get FIOS speeds with a small consumer
appliance router like the WRT-54...

I would recommend a perimeter solution.   Generally this means a dedicated
small form-factor box running your firewall/VPN/router.   I've been
using Endian's Open-source solution on a dedicated box but have recently
switched to pfSense (bsd based) running in a VM.
 
Your server belongs in a DMZ zone, that doesn't have unrestricted access to
you internal network.  But you can allow LAN traffic to the DMZ so your
laptops can talk to that server.

For security generally the FIOS connection should go only the the
perimeter firewall , and the LAN segment should not share the same
ethernet Nic or cable segment with the DMZ or FIOS.

What I have done lately is run ALL of this on one VMware host.
- About a dozen servers ( Linux, Solaris, Windows )
- pfSense firewall/router/vpn - all connected via vSwitches or VLAN's to a physical switch
- Nexenta ZFS storage ( converts 6 local SATA disks to a SAN )
  free version limited to 18TB
- vCenter management server

I was considering presenting a talk about a "Data Center in a box" because
I think it's really impressive that all this can run on one physical host.
Actually it's a half-height rack with a Dell 2970 server, Cisco switch, and UPS
and NAS backup device.

Would anyone be interested in this talk ?   I can also talk about
how to use VLAN's to run unlimited number of isolated Ethernet
networks over one or two (redundant) connections.   

Lee



> From: "Rich Freeman" <r-plug@thefreemanclan.net>
> To: plsnyder@drexel.edu, "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
> Sent: Friday, 21 September, 2012 1:51:53 PM
> Subject: Re: [PLUG] VPN design for home use
> 
> On Fri, Sep 21, 2012 at 1:39 PM, Paul L. Snyder <plsnyder@drexel.edu>
> wrote:
> > Option 1: Use the server as a VPN gateway. Add a second gigbit NIC
> > and
> > hang a switch off of it; connect all the other wired devices to the
> > switch.
> > Set up the server as an OpenVPN gateway to the VPN tunnel.
> 
> I'd probably just do this.  If you're going to tunnel everything
> through a VPN going both ways then it really doesn't matter how many
> layers of NAT you have to traverse.  The router doesn't have to do
> anything special - it just sees you have one PC on your network and
> it
> just keeps one connection open 24x7.
> 
> > And, as a final wrinkle...once all this is set up, I'd like to be
> > able to
> > connect my laptop back to my home network when I'm on the road.
> 
> I'd think that as long as your remote IP is stable on the other end
> of
> the home VPN that you should be able to tunnel a VPN through that
> VPN.
>  If your VPN provider has some cleaner solution by all means use it,
> but if you're running a linux server as a router, then it just runs
> two VPN daemons.  One creates an interface that the local LAN NATs
> into with firewalling.  The other creates an interface bridged onto
> your local network, and it sends its data through the first VPN
> interface.
> 
> I have little practical experience with VPNs, but I'd think something
> like this should be pretty do-able.
> 
> Rich
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --
>        http://www.phillylinux.org
> Announcements -
> http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --
>   http://lists.phillylinux.org/mailman/listinfo/plug
> 

-- 
"Between subtle shading and the absence of light lies the nuance of iqlusion..." - Kryptos 

Lee Marzke, lee@marzke.net http://marzke.net/lee/ 
IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM 
+1 800-393-5217 office +1 484-348-2230 fax 
+1 610-564-4932 cell sip://8003935217@4aero.com VOIP 


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug