There is such a wealth of knowledge and personal experience on this list that I'd like to get your opinions on our current situation.
Currently, we have a simple tri-homed firewall with the internal network on one interface, the dmz on another, and the dirty internet on the last. Also, there is a spare interface on the box which is unused. We use CentOS and manually maintain our rule sets and routes since it's not really that complex.
I'd like to setup a vpn connection between our office and a remote office, as well as, allow remote users to vpn into there desktops and map samba shares. I would prefer to tie in the openvpn software with our internal openldap server. Our dmz is currently not in use at all but will be soon, hosting our software. Having said all of this, what insights do you have for the following:
1. What are your recommendations for where the vpn (openvpn on linux) appliance should reside? In the dmz? Internally and configure the firewall to allow (and nat) vpn connections? On the unused interface in a different dmz than our hosting software? Somewhere else?
2. Should I abandon the single firewall approach and instead use two firewalls in a more traditional setup (gateway firewall -> dmz -> internal firewall)? If so, where should the vpn appliance go?
I'll probably have more questions based on your answers and I look forward to the responses. Thanks.