Site-to-site OpenVPN multiple subnets
-
My head office has two subnets that we would like to tunnel out to remote offices. These subnets are in two different security zones and segmentation must be maintained.
Should I be using dedicated OpenVPN servers for each subnet or can one server with routing maintain the segmentation?
Can someone explain how best to go about thid, or point me to a link ?
Thanks
-
You can control access to those from all clients on the OpenVPN tab.
Multiple OpenVPN servers with multiple assigned interfaces can give you a but more granularity regarding the source addresses/locations.
You didn't really give much to go on like what are the locations (site-to-site, remote access, etc), which direction are the connections flowing, etc.
-
Sorry. Basically it's a Head office as the hub and branch office as spokes. It would be a site-to-site config.
Are you referring to the Firewall tab for the OpenVPN interface?
-
Yes. The firewall rules on OpenVPN govern which connections are passed from OpenVPN endpoints.
The firewall rules on the local interfaces govern what connections are passed from those networks into wherever - including OpenVPN endpoints.
-
Would I use any custom entries for routes on the OpenVPN server? Would I be correct by saying that head office should be set up under OpenVPN - Servers and the branch offices setup under OpenVPN -Clients?
-
Probably.
These days you rarely need to use any custom options.
Just enter the right things in the Local and remote Networks (and CSOs if you are using an SSL/TLS Server) and pass the desired traffic int he firewall rules.
-
Can you expand on why CSOs are used and why they are needed with SSL/TLS servers?
Thanks.