On Mon, May 23, 2022, 07:53 Dark Corner <darkcorner...@gmail.com> wrote:
> Guacamole is installed on a PC behind a Zyxel firewall. > Users should connect to Guacamole via VPN and, once logged into Guacamole, > log into their PC. > However, the firewall cannot handle multiple VPNs. So, I wish to install > OpenVPN, possibly on the same PC used for Guacamole. > To access OpenVPN I would like to open a set of ports on the firewall to > the Guacamole PC only, so that it is not necessary to use a VPN on the > firewall. > > Do you have any suggestions in this regard? > I think it would be far better to not use the VPN at all. Putting a VPN in front of it would just add unnecessary difficulty and complexity for users. Part of the function of Guacamole is as a VPN replacement. It allows you to allow users to connect to backend desktops securely and via a browser without needing VPN at all. You should instead: 1) Allow direct access to the Guacamole server only, and only on ports 80 and 443. 2) Set up SSL termination such that access is properly encrypted and HTTP traffic to port 80 is redirected to HTTPS at port 443. 3) Ensure via your firewall and network config that Guacamole is the sole means of access to the desktops on the private network behind Guacamole. You then have a single, centralized, monitored, and secured point of entry, with access to any particular backend desktop only possible if the admin grants that access. - Mike
