Hi all, My first post to this list. A brief introduction, I am a sysadmin for a medium-sized company with a small dozen smaller and larger offices spread over the globe. Some years back I worked for a company that put linux servers in place in offices with Windows workstations and back then I started using OpenVPN. I fell for its capability to do bridged networking and to run as a Windows service, completely transparent, so end users didn't have to do a lot of clicks to end up on the office network, log on to the domain, access internal systems, printers etc.
For my current employer I have deployed OpenVPN on Windows laptops for the same reasons. But as this is a larger scale operation, I run into some questions. I hope to find some ideas or answers here, as I can't find anything pointing me in the right direction in the manual or the FAQ. 1. I'd like to set up an OpenVPN server in each country office. All country offices have LAN-to-LAN connectivity with HQ and some also with their neigbouring countries office (through different means). We have a lot of travelers with laptops who visit different countries. Is there a way to provide OpenVPN with a list of servers, then have it determine which one is responding fastest (by measuring ping time for example?) and then connect to that server - and all of this without the user having to do a manual selection like choosing between different OpenVPN config profiles? 2. Is there a way to have different OpenVPN servers share (or synchronize) the same certificates so we only have to create one certificate for each user to have access to all our OpenVPN servers worldwide? Or entirely validate through Active Directory only (probably combined with a single certificate) 3. I'd like to setup the laptops so that OpenVPN service always connects automatically. This would provide a transparent user experience from each internet connection. But is there a way to prevent OpenVPN from connecting when the users are at their home office or one of our other country offices? They have an IP address on the LAN then, in the same range that they would get as when their OpenVPN service connects to the bridge. This means that when connected to the LAN, the machines would get a double IP address in the same range, which is not necessary and may lead to IP address depletion on the DHCP server in the larger offices. How do I prevent OpenVPN from connecting when it's already 'home'/set it to connect only when the machine has a public IP address (or a private IP address on a different network)? Alternatively, we could offer only an internet connection on our office LAN and make the entire LAN connection through an always-on OpenVPN, but I'm afraid that it would make things as slow as the internet connection is (which would not work well for things like rapid file server access) and make the OpenVPN server a single point of failure for the entire LAN. It would help to keep guest laptops that get plugged in off our LAN though... Any ideas, experience, alternatives, scripts etc. are very welcome. Best regards, Theo Fokkema Digital Plumber ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
