Hi, I need to setup a connection to an external service from a third party via a VPN connection. They have provided me with the required files to create a client connection via OpenVPN but so far I’ve always dealt with this kind of situations with a site-to-site VPN connection so I was wondering:
What would be the difference between using one solution over the other? As far as I understand, I could always create the client as a separate service on my network to work as a proxy so I can scale the other service up or down easily. But in this case it would work similarly to what a site-to-site connection provides. So, is there anything that I need to be careful with when using this solution?
From the server perspective it seems easier to manage as they would only need to provide the configuration files to clients without having to deal with their specific network settings.
Is there any security implication in doing it this way?
Site-to-site VPN always on connection, no user authentication besides pre-shared-key or cert for the tunnel itself.
Client SSL VPN - user authentication,so can audit. Can control access based on user, on-demand vpn so it’s not always on. This is always the best option if it’s just users accessing equipment.
Obviously if it’s a machine to machine connection then you’ll need site-to-site VPN.
Site to site IPSEC: implicit trust sans static firewall rules, not a lot of insight beyond layer 4.
Client VPN: varies between implementations but with newer ones like Forticlient or Appgate, you can bring in all kinds of contextual, explicit trust to your apps.
Based on that alone, we’re shifting our own infra to be accessible only through the remote VPN. I’d highly recommend it.
If it’s permanent link between two non-mobile devices then I’d use Wireguard or IKEv2/IPsec (routed mode / VTI style).
If it’s from something that connects and disconnects then OpenVPN might be good. But I’d tend not to use it for a nailed up connection. That said it will probably work for you.
Do your users already have a client vpn to access company resources? From an IT perspective, having your users have 2 client vpns and switching between them is cringe. S2s is better in this scenario
That was my understanding but I’m not sure this is something I can force on the provider. So is there any specific contraint that prevents me from using the client VPN as a proxy?
It will always be my service calling theirs so no need for them to keep the connection always on (even though it will always be as long as the proxy is running). From the point of view of the server, there is only one client, irrespective of whether there are several machines behind a proxy from the client side. And the authentication is done via user authentication vs a pre-shared-key so they still know who is connected to their system.
Ok, I didn’t know that. So based on that, you would rather use a client VPN rather a site to site VPN for every machine-to-machine communication where it’s always the client that starts the connection?
No, there is no other VPN in use at the moment. The connection needs to be done between a service in a public cloud and this third party service, which I don’t know where it is deployed. It’s only use is for machine-to-machine communication.
if the provider is saying to use Client VPN, then there’s nothing wrong with that. it’s not any different than you using a VPN to connect to work remotely.
Absolutely. Yes it seems like more overhead, but it allows for substantially more granularity in your security posture. All the newer ZTNA clients can even check for things like having the most up to date AV definition, geolocation, and other metrics.
Security requirement. I don’t know the details, I’m not the one dealing with the service. Maybe they don’t even have an SSL certificate configure for their endpoints, expecting everything to be private.