Setting up a VPN channel inside a FreeBSD jail

[CougTek]

We are looking to part with our servers and send a bunch of them at a remote location with better electrical and cooling redundancy than what we can implement in our offices. We'll need to setup a VPN access between the servers at the remote location and the few we'll keep in our offices. We are debating about buying two specialized Smoothwall devices or setting up a VPN on two servers.

I've been reading a little on the subject. Setting up a VPN channel between two FreeBSD jails at each locations seems like an interesting possibility. Of course, I currently have absolutely no idea how to do it, but that's trivial. From what I read, FreeBSD's jails work more or less like Solaris' zones, which I'm starting to be familiar with. I know FreeBSD isn't as secured as OpenBSD can be, but jails aren't supported in OpenBSD so this one is out of the game (I want to do other stuff on these server as having an entire server dedicated solely to the VPN would make no sense versus using a dedicated (and way cheaper) box like those Smoothwall toys. The main advantage of setting up the VPN in a jail is, in my view, that I can use the sesrver for other applications too, as long as they are operating in other jails.

What's your opinions on the subject? Would it be a too high security risk to setup a VPN channel like this or would it be fine, compared to going the Smoothwall box way?

 

[ddrueding]

I can't comment on the FreeBSD stuff, but if redundancy is really important, you'll want at least two different forms of internet connection at your end and a VPN link that can hop between them. For this kind of thing I use FatPipe equipment at either end; capable of redundancy and load balancing across multiple connections with the same link. I know that they just have a fancy FreeBSD build inside their very expensive boxes, but it is worth it to me to have them take care of it.

 

[Howell]

I would prefer a dedicated box for this task.

 

[Handruin]

A dedicated box would be my preference also. If you need to save money and make things work with what you have then I get it. However, for reliability and redundancy a dedicated box (or two) would be of great service much like David suggested. Calculate what it will cost to be down per hour and then give those numbers to the bean counters. Presenting both solutions and their cost/risk benefit is a responsible approach. You did the work and covered your ass and the companies ass by risk assessment even if they pick the cheaper option.

 

[Chewy509]

What H said...

For VPN endpoints, (or any other world viewable box) I tend to prefer a separate box. (Keep all your external and internal boxes separate).

 

[CougTek]

Thanks all for your input.

Why would a dedicated box be more reliable than a well configured jail/zone/VM? In case something working in the global zone requires a reboot? Very unlikely in this case.

 

[Chewy509]

Not really more reliable (as that would be dependent on the underlying hardware), more about security, load balancing (between all OS instances) and separation of concerns.

Boxes open to the wide world tend to get beaten up a bit (either attacks, ddos, etc), and you don't want you internal services affected by this. While technically nothing wrong with it, I wouldn't want my firewall/vpn/web server host also hosting internal services (even if they are inside Jails/Zones).