My network is divided into a trusted LAN and an untrusted VLAN. The trusted network hosts all devices and systems that I have full control over (meaning I have root access and can verify they are clean), while the untrusted network is a new addition specifically for untrusted devices - which are any device that is an appliance over which my control is limited. I set this up specifically for my new smart TV; I can't root it so I can't really control it but I won't let it spy on me or become a potential security hazard for my other systems.
I have decided that I would like to set up a VPN proxy on the untrusted network so that I can route all traffic on that network out through a single VPN connection.
I have already set up a raspberry pi pi-hole DNS server on my network. This server can be accessed from the trusted network on port 53 and on port 22 (so that I can remote manage it) and on the untrusted network only on port 53, so that the untrusted network can only talk to it for DNS..
My choices for how to set up this VPN proxy are two:
(1) I can open up access by the untrusted VPN to the raspberry pi and use it as both DNS for the entire network and as VPN proxy for the untrusted network, or
(2) I can procure another raspberry pi, configure it to reside only on the untrusted network (no connection at all to the trusted network), and let it be the dedicated VPN proxy.
Choice 1 allows traffic from untrusted devices that are potentially hacked or owned into a Linux-based device that has access to my trusted network.
Choice 2 denies this sort of access, at the expense of more hardware hence more support requirements for the network.
Presently, of course, traffic from both networks does flow through my router. But that router is a simplewan and, given how it is hardened, I doubt it is vulnerable to an attack from the LAN or the untrusted VLAN.
I am not so sure, however, that the raspberry pi (Debian based) is so secure. But maybe I am being a bit too cautious about it.
I am not willing to go to the effort of hardening the raspberry pi beyond setting up appropriate iptables rules; there are many other things I would much rather spend my time doing.
What would you do? Choice 1? Or choice 2?