We have a Smoothwall firewall with both a "green" network (LAN) and an "orange" network (DMZ), and we would like to use OpenVPN access server as our VPN server.
The question is: Should the VPN server go in the LAN or the DMZ? And, if in the DMZ, then how should VPN-connected clients access LAN resources (e.g. a Samba share or Windows remote desktop)?
(I know that this should be a basic question, but I have spent a lot of time searching the web, and it appears that most people recommend to put the VPN server in the DMZ. However, it is not clear to me how one could access resources in the LAN from the VPN server without compromising the security principles of having a DMZ in the first place.)
Any responses would be much appreciated!
Edit: I cannot find any quality explanation about how to proceed on the web. Another suggestion (http://www.antionline.com/showthread.php?228254.html) is to put the VPN server in parallel to the firewall. To me, this sounds even worse then port forwarding into the LAN itself.
Best Answer
Your answer is in your question:
Depending on what's your goal...
Putting VPN in your DMZ is something stupid as your DMZ is an advanced internet zone in your architecture.
Putting VPN in your LAN implie that you know what you do.
You could even build a kind of
DMZ biswhich have limited, monitored and controled access to your LAN and which don't be reachable from Internet. This require such an advanced firewall or two cascaded firewalls.