VPN server location in network best practice

Question

Is there a best practice with respect of where to set up a VPN server which is designed to facilitate access to a corporate network, and why?

Historically I've set the VPN up on the gateway/core router, however I understand it is now common practice to set up a VM for the server.

Looking at the security aspect of and risk of a compromise, is it reasonable to assume that site-to-site VPNs which share the same level of access can be on routers using a preshared key while user to site VPNS should be on aVM using public/private key technogy?

If it makes a difference the preferred VPN technology is OpenVPN.

Answer 1

I totally agree with @Cristian Matthias Ambæk in terms of having the server setup behind a firewall. In general public facing services should be placed inside a Demilitarized Zone (DMZ) to prohibit (direct) access to your server or client LAN from the internet.

Depending on the size of company you refer to it might be reasonable to dedicate certain hardware to perform virtualization inside the DMZ (dedicated Server). Doing so eliminates the risk of a compromised VM located on DMZ hardware gaining access to production VMs by taking over the hypervisor.

I am not sure what you try to state within your third paragraph. Do you think that a remote access VPN is more likely to be attacked as opposed to a site-to-site VPN? Alternatively, are you thinking about IPSec for site-to-site VPN and OpenVPN (which uses TLS) for remote access? Nevertheless, I would recommend you to use PKI for your site-to-site VPN as well or use very long PSK to improve security.