> > So I would set up openvpn on my remote server and connect to it from: > > here's a few ideas about the subject, some options to think about. > > > 1. my local print server for printing > > Look into routed vpn networks. If I were in your case I would probably > set up a VPN server on (one of) my firewall(s) and then either > route/allow :641 traffic to the remote print server through the VPN or > simply redirect :641 connections through the VPN, just like port > forwarding for NATed servers behind firewalls. in this configuration, > the remote print server is really a VPN client rather than a server.
That sounds good. > > 2. my laptop for ssh and imap > > I like to allow myself, with my laptop, to connect to my SOHO-sized > server setup through a VPN. To this end I tell the gateways on select > subnets to route throught to the VPN, and tell the VPN server to route > to those subnets' gateways. That way I can configure any computer > (through the vpn, of course) without having to worry about opening it > to external connections. If you wanted to make the VPN transparent, > you could NAT the VPN traffic instead, and make it look like it came > from the VPN server itself. Can't say I understand this but I have some reading to do about VPN. > I cringe at the idea of having to use a VPN for imap, however. Why? Would you say the same of using it for SMTP? > > Could I also only allow access to my website's admin pages through > > openvpn? > > You could, but it might be a little tricky, depending on your setup. > If it were my goal, I would probably put the server pages in a > directory and control access to that directory to only VPN addresses > (Again, this assumes a routed vpn). Or you could put it on a different > server entirely. > > However, I would do no such thing. I would want to use an entirely > different access scheme for website admin, using a user login to > perhaps an ssl protected webpage, or if I were really concerned, HTTP > authentication. . I would not want my web admins, who likely enjoy the > ease with which they can manipulate their web pages, to be allowed on > the VPN, and wouldn't want to set it up on their computers or worry > about them getting viruses and the like. It's hard for a virus to > transmit in a meaningful fashion over FTP and access to webpages, but > trojans on a VPN client give the trojan controller the same access to > the VPN -- and a copy of the client's certificates. I am not quick to > pass out trusted certs for my vpn. I was thinking authentication + VPN, but maybe that's overkill. I kinda like the idea of everything non-public going through the VPN. Nobody should be in there but me so there's no trust problem. Is that too much? There are only three machines involved here: 1. remote web/mail server, print client 2. local firewall/router/print server 3. local web/mail/print client I think it would make sense to make machine #2 the VPN server, but it is not nearly as reliable as machine #1 in terms of the internet connection and the hardware (machine #2 is getting old). I would hate to be out of town and lose access to all email services because machine #2 goes down. Machine #1 basically never goes down. Could I make #1 the VPN server to maximize reliability and have everything work the way I want it to? - Grant > In short, better uses of the VPN in this case would probalby be remote > access to the corp. network from your laptop and secure access to > remote print servers from whatever the number of hosts. -- gentoo-user@lists.gentoo.org mailing list
