So I’m trying to set up a Pritunl cluster in our new environment that has VLAN segments for production and dev, and I’m having trouble figuring out how to set everything up to work. Hopefully my explanation makes sense.
This is the simplified version of our config (we have an Enterprise license):
- VLAN 10 - Production (10.0.10.0/24)
- VLAN 20 - Admin VPN (10.0.20.0/24)
- VLAN 30 - Dev (10.0.30.0/24)
- VLAN 40 - Dev VPN (10.0.40.0/24)
We have two VPN servers, one is using a subnet on VLAN 20 (10.0.20.128/24), and the other is on VLAN 40 (10.0.40.128/25). We then have two host machines running Pritunl, and we would like both VPN servers to be accessible on both hosts for resiliency and balancing. They share the same MongoDB server. The host themselves are currently running within VLAN 20 and 40 for Admin and Dev (respectively) and assigned an IP on that subnet. The Admin VLAN has access to all other VLANs. The Dev VLAN only has access to the Dev VLANs. For simplicity, each VPN server routes all VLAN subnets over the connection (since they have to be restarted if there are changes), and the switches and firewall handle the access to the other VLANs.
Firewall
____/ \___
| |
vpnhost01 vpnhost02
(10.10.20.5) (10.10.40.5)
| |
----\ /----
MongoDB
In order to allow each VPN server to run on each host, it seems like I need to assign an interface to each host from each VPN VLAN (20 and 40) so the VPN subnets are routable to the rest of the network. However, that ends up giving the Dev VPN connections access to the production VLANs because the traffic can traverse the VPN through the VPN host and through its default gateway (which on vpnhost01 is on the Admin VLAN).
For example: A Dev VPN client tries to access 10.0.10.50 (VLAN 10, should be blocked)
Client → Dev VPN → vpnhost01 → default gateway (10.10.20.1) → 10.0.10.50 (allowed because VLAN 20 is trusted).
Is the only way to handle this to only route the specific subnets that each VPN server should access? Hopefully that’s not the case, since the Dev VLAN will need access to some parts of some VLANs, but not the entire subnet. Obviously I could get crazy with firewall rules on the VPN host, but that seems messy.
Also, if I have a dual VPN host set up like this that runs replicated servers, can I not use NAT on the routes? Since non-NAT traffic requires a static route on the firewall to push the VPN subnet back to the correct VPN host, I can only make it go to one specific host. If someone connects to vpnhost01, the static route for the VPN subnet in the firewall needs to point to vpnhost01 (10.10.20.5), but then it won’t work for vpnhost02.