Firewall in front of a router: where should I run opnvpn service ?

kraal · September 13, 2023, 8:55pm

Hi,

Having the following setup, where “Router” is connected to “Firewall” using its eth1 (WAN) port which is not part of its bridge and where “Router” defines rules for inter-vlan traffic:

Internet --- ISP router --- Firewall --- Router --- rest of the LAN (switches, ap, workstations, etc connected to the ethernet ports)
             (untrusted)   (OPNsense)  (Mikrotik)
                                |
                           DMZ Servers

If both “Firewall” and “Router” are capable of running opnvpn instances and if resources are available on both devices to run opnvpn, Where should I deploy opnvpn server instances to allow two groups of remote (on the internet) users to access two specific vlans (id 100 and 200) on the LAN ?

is it on “Firewall” + make the “Firewall” tag traffic with id 100 or 200 depending on the vpn server instance + use an additional cable from “Firewall” to a trunk port (i.e. not eth1) of the “Router” which is part of the bridge ?
is it on “Router” + make the “Firewall” pass the traffic related to VPN to “Router” using the existing eth1 port + accept incomming traffic to vpn server on “Router” eth1 (WAN) port?
is it on “Router” + use an additional cable from “Firewall” to another port of the “Router” (for instance eth2) + make the “Firewall” pass the traffic related to VPN to “Router” eth2 port + accept incomming traffic to vpn server on “Router” eth2 port?
Other ?

I implemented the first option but I wonder if it is the right way to achieve this.

Thank you,

mkx · September 14, 2023, 1:05pm

Ideally you would run VPN on a server inside DMZ. Second choice would be firewall itself.

Reasoning: if you terminate VPN inside firewalled network, then potentially malicious user, who successfully established VPN, would have free way to LAN. If VPN is terminated on firewall or in a DMZ, then firewall has opportunity to inspect traffic exiting and entering VPN tunnel and act on it.
Depending on requirements of VLAN traffic I wouldn’t even bother with VLANs etc. over router. If it’s normal unicast IP traffic, then router should pass it just fine. If you want to make VPN client “a full member of LAN” (for broadcast traffic, e.g. mDNS), then yes you have to pull some tricks.

kraal · September 14, 2023, 2:30pm

@mkx Thanks for your answer

I chose 2nd option with the exact same reasoning. (But left the vpn server instances on the firewall)

Thank you

pe1chl · September 14, 2023, 3:01pm

Furthermore, when you run OpenVPN on the OPNsense firewall it would presumably be the openvpn.net implementation.
That is massively better than the “OVPN” in RouterOS.

kraal · September 16, 2023, 9:49pm

Had I seen this from the start I would not even had asked the question Thank you.