[KLUG Members] IPTABLES and VPN support

[John Pesce]

Hello,

Note: I have no VPN experience.

I have a need to send streaming sensitive data over the internet to
another company. My initial thought is to use an encrypted VPN link.

I'm very concerned with security and protecting my internal network from
the computers on their side of the VPN link. I also have to prevent
anyone else from getting at the data.

Any suggestions on the most secure way of providing the data?

Is it safer to run a VPN client on my box and connect to their VPN
server or for them to connect to my VPN server?

If my box connected to their VPN, I assume Linux creates a new virtual
interface for the VPN tunnel. In which case I would need an IPTables
firewall on my box to only allow outbound connections over that VPN
interface and to DROP any inbound attempts from it.
Is this reasonable? Is the kernel and IPTables support for this kind of
thing stable? 
Anyone tried something like this?

I'm also considering them connecting to my VPN server. In which case I
believe they get an IP on my LAN? So I would need a firwall between my
VPN server and my boxes that provide the stream. The reason I'm
considering this is because I need a redundant system. If one of my
servers falls over, they need to connect to the secondary server.

If I'm connecting to them, like in the first case, I'm not sure how I
would detect that my primary box failed and start sending from a
secondary.

Any ideas?