Advice on openvpn deployment

[dave_r12]

Hi, I'm planning to deploy OpenVPN. I think its a fairly simple use case: field workers need to connect to their desktop when they are out of the office. They will connect using Remote Desktop on Windows machines. The office network looks like: Linux Server acting as firewall, and a small LAN.

I believe I've come up with 2 possible ways of doing this, and I'm wondering if others may have some feedback on what I'm proposing

Scenario #1: Setup an OpenVPN server on each of the client machines (only 3 or 4) on the local LAN. Setup port forwarding on the firewall so that incoming requests for their respective ports are forwarded to local LAN ip. I would use the TUN interface in this case.

Scenario #2: Setup OpenVPN on the Linux machine. In this case, I'd have to set it up with TAP so the field workers could see other computers on the network. Then, they would just use the IP address of their computer on the local LAN.

I'm still not sure I entirely understand the TUN/TAP concept. Any advice would be appreciated, Thanks

[maikcat]

tap devices are layer2 devices ,meaning that you can use tap device to do bridging
tun devices are layrer3 devices .meaning that you can use them only for routing scenarios..

i recommend you use routing in your vpn.

Michael.

[dave_r12]

Thanks for the reply Michael.

Just to follow up, what are your thoughts on deploying an OpenVPN server to individual client machines? I'm only anticipating a few machines, and it won't be scaling up anytime soon.

Also, if I were to set up the OpenVPN server on the linux machine, and I used routing, is it possible for each client to remote desktop into their own machines? For example, User A has machine at 192.168.1.10 and User B has machine at 192.168.1.18. Once they connect to the VPN, can I have them both remote in to their own machine? I'm guessing I'd have to set up some forwarding rules in iptables?

[maikcat]

if you have 2 pcs inside your lan which are needed to be accessible from openvpn clients
it is very easy to accomplish this by using routing scenario.

my suggestion is to use certificates.

ps: the only downside/problem you might face is if your local lan has common used ip range (fe 192.168.1.0).

Michael.

[dave_r12]

Ok, thanks. I'm not sure I entirely understand all of what you said, but I'll continue working on it and post back if I run into any issues

[dave_r12]

Hi, I just wanted to follow up after I got my deployment working.

Michael, the routing worked as you described, and it actually turned out to be a fairly straight forward process to configure.

Thanks again

[maikcat]

glad to helped you out.

closing topic.

Michael.