always on VPN for offsite server

R

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
I have an offsite server hosted in a data centre, it is my mail/web server and used for anything that needs to be public facing. I will be getting a fibre connection soon, so it seems to me it would be very feasible for me to treat this server as "part of the network", via an always on VPN. Is this something that can be done? Basically the server would have a local IP that is routable throughout my network, in addition to it's external IP. I would have NFS shares and other stuff that is accessible only within this tunnel.

Idealy I'd also want this solution to support having multiple servers in case I add more in the future.

Also if this server was to be compromised would there be a risk of having bad traffic spill onto my internal network?
 
What OS is the offsite server running and is it behind and routers or does it have a public ip?
 
Oh yeah OS would help. Mostly everthing is running CentOS. The server (and any future servers I may add) is public. Leased from a data centre so I get multiple dedicated IPs.

The stuff at home is private and behind a firewall though. The VPN server would most likely be at my house. I'm thinking something with OpenVPN maybe? Has to be an always on tunnel though, and if connectivity is lost it auto reconnects etc.

Also concerned about security if the online server was to get compromised, don't want it to be possible for that traffic to spill on my internal network... so if doing this can compromise security, I rather not do it. Then again, the VPN range could be a separate network and I just have to set firewall rules to restrict stuff.
 
yeah, openvpn will run a persistent connection. I use it for multiple offices. Is this server yours, or some sort of shared box?
 
OpenVPN would work just fine, as would l2tp/ipsec.

If you really wanted to get ambitious you could use a router/firewall as the client and make it a routable network. What are you using for your firewall at home?
 
Yeah server is mine (leased) though I don't have access to add hardware to it such as a router. Firewall at home is pfsense.
 
I would go IPSEC (super easy in pfSense), but if you can't put in a firewall at the DC it sounds like OpenVPN would be best for your situation. You would install the OpenVPN client on your CentOS server and the OpenVPN server can be pfSense. Then you just need to configure it the way you need, which can actually be a bit of a pain but certainly doable.
 
Cool sounds like OpenVPN is best bet then. I already have an Open VPN server (could never figure out how to get it to work in PFsense) so I may use that. It's kinda outdated though so I'll probably end up reinstalling a newer OS and whatever OpenVPN version is in those repositories.
 
Don't treat it as internal to your LAN, though. It's a public box and should be treated as public with regards to your own LAN. Make a DMZ for it.
 
That's what I'm thinking too, as I don't want traffic from that server to somehow spill to my LAN. Basically it would have two IPs, the external and internal, internal one would be accessible from my home network, but it would still be restricted. That server would have very little access to my network, if any. I'm even thinking of just forgetting this idea altogether, was more or less curious if it can be done.
 
You must log in or register to reply here.
Back
Top