dustin/configpolicy
1
1
Fork 0
Code Issues Releases Activity

Move VPN server to dedicated VM

Browse Source 
The VPN capability of the UniFi Security Gateway is extremely limited.
It does not support road-warrior IPsec/IKEv2 configuration, and its
OpenVPN configuration is inflexible. As with DHCP, the best solution is
to simply move service to another machine.

To that end, I created a new VM, *vpn0.pyrocufflink.blue*, to host both
strongSwan and OpenVPN. For this to work, the necessary TCP/UDP ports
need to be forwarded, of course, and all of the remote subnets need
static routes on the gateway, specifying this machine as the next hop.
Additionally, ICMP redirects need to be disabled, to prevent confusing
the routing tables of devices on the same subnet as the VPN gateway.
This commit is contained in:
Dustin
2018-10-07 12:12:39 -05:00
parent 9f32f94780
commit a1ca06a3c5
9 changed files with 701 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
roles/dch-proxy/templates/backend-openvpn.haproxy.cfg.j2
View File

@@ -1,3 +1,3 @@
backend openvpn
mode tcp
server openvpn 172.30.0.1:9876 check
server openvpn 172.30.0.2:9876 check