VPN into closed DMZ?

I want to provide secure access for software developers from Red into the Orange DMZ.
I will need to use a dynamic DMS.
I do not want to expose the DMZ to public access. Occasionally I may want to provide selective access to an individual to interact with a WUI (password security) to a device running on the DMZ.

The aim is to minimise the risk of cross-infection by a virus. The devices in the DMZ will all be Raspberry Pi’s. No PC that might catch a virus. There will be no requirement for access from Red/Orange to Blue/Green. I will want access from Green to Orange.

I am thinking what if I could setup a OpenVPN for the developers that provides access to the DMZ only?
This would require closing public access to the DMZ. Is that possible?
Is it the best way?

I have setup OpenVPNs when I was running ipCop. I also setup a device in the DMZ running a WUI, with public access, password protected. I haven’t tried a VPN into a closed DMZ.


Hi @dazz.

I think there would be no problem doing it. I don’t see why not.

A “Static IP address pools” can be created to close the access to the dynamic OpenVPN but not for this pool.

Next, create firewall rules that prevent outside access to the DMZ.

Maybe someone has another opinion.


By default Orange is closed to access from Red. You have to create port forward rules if you want that access.
See the default Firewall rules

The IPFire OpenVPN connection into Orange will be allowed by the IPFire firewall rules for the OpenVPN connection automatically so you don’t have to do anything.

1 Like

When I used VPN with ipCop (quite a while ago), I recall it went straight into Green.
What I would like to do now is have VPN go to Orange, with no access to Green.
The aim is to ring fence the DMZ so if any viruses cross through the VPN, they don’t / can’t reach my Green network.

WUI–> OpenVPN–>Add–>Host-to-Net Virtual Private Network (RoadWarrior)–>Add–> Advanced client options


That looks exactly like what I want to do.