1) Not built into OpenVPN, but it would be reasonably easy to write a small
script that would ping (or some other latency-measuring, hop-measuring, or
something-else-measuring method) all the servers and then construct an
openvpn config file snippet to be included in the main openvpn config.
2) That's already how certificates work. You shouldn't need to synchronize
anything other than your CA certificate and, periodically, your CRL. If
you want to *issue* certificates from different places, then you'd need to
have a CA hierarchy, but that's a matter of building your CA to suit your
needs. Any good reference on X.509 PKI will likely tell you more than you
ever wanted to know about this subject. But if you build it right, any
certificate issued from one of your CA's should be recognized as valid
throughout your organization instantly, with no synchronization needed, and
should be able to validate all of your servers.
3) Once again, this isn't something that could be done within OpenVPN
itself, but if you're already going to write a script for #1, it'd be
fairly easy to add some logic to exit out if your IP address is within a
list of ranges.
Hope this is helpful!
-Joe
On Mon, Oct 2, 2017 at 10:36 AM Theo Fokkema <t...@goliathgames.nl> wrote:
> Hi all,
>
> My first post to this list.
> A brief introduction, I am a sysadmin for a medium-sized company with a
> small dozen smaller and larger offices spread over the globe.
> Some years back I worked for a company that put linux servers in place in
> offices with Windows workstations and back then I started using OpenVPN. I
> fell for its capability to do bridged networking and to run as a Windows
> service, completely transparent, so end users didn't have to do a lot of
> clicks to end up on the office network, log on to the domain, access
> internal systems, printers etc.
>
> For my current employer I have deployed OpenVPN on Windows laptops for the
> same reasons. But as this is a larger scale operation, I run into some
> questions. I hope to find some ideas or answers here, as I can't find
> anything pointing me in the right direction in the manual or the FAQ.
>
> 1. I'd like to set up an OpenVPN server in each country office. All
> country offices have LAN-to-LAN connectivity with HQ and some also with
> their neigbouring countries office (through different means). We have a lot
> of travelers with laptops who visit different countries.
> Is there a way to provide OpenVPN with a list of servers, then have it
> determine which one is responding fastest (by measuring ping time for
> example?) and then connect to that server - and all of this without the
> user having to do a manual selection like choosing between different
> OpenVPN config profiles?
>
> 2. Is there a way to have different OpenVPN servers share (or synchronize)
> the same certificates so we only have to create one certificate for each
> user to have access to all our OpenVPN servers worldwide? Or entirely
> validate through Active Directory only (probably combined with a single
> certificate)
>
> 3. I'd like to setup the laptops so that OpenVPN service always connects
> automatically. This would provide a transparent user experience from each
> internet connection. But is there a way to prevent OpenVPN from connecting
> when the users are at their home office or one of our other country
> offices? They have an IP address on the LAN then, in the same range that
> they would get as when their OpenVPN service connects to the bridge. This
> means that when connected to the LAN, the machines would get a double IP
> address in the same range, which is not necessary and may lead to IP
> address depletion on the DHCP server in the larger offices. How do I
> prevent OpenVPN from connecting when it's already 'home'/set it to connect
> only when the machine has a public IP address (or a private IP address on a
> different network)?
>
> Alternatively, we could offer only an internet connection on our office
> LAN and make the entire LAN connection through an always-on OpenVPN, but
> I'm afraid that it would make things as slow as the internet connection is
> (which would not work well for things like rapid file server access) and
> make the OpenVPN server a single point of failure for the entire LAN. It
> would help to keep guest laptops that get plugged in off our LAN though...
>
> Any ideas, experience, alternatives, scripts etc. are very welcome.
>
> Best regards,
>
> Theo Fokkema
> Digital Plumber
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
