Jan Just Keijser schreef op 02-10-2017 17:04:
2. Is there a way to have different OpenVPN servers share (or
synchronize) the same certificates so we only have to create one
certificate for each user to have access to all our OpenVPN servers
worldwide? Or entirely validate through Active Directory only
(probably combined with a single certificate)
yes. this is possible: you can have a single CA to hand out
certificates for all clients, or you can even create sub-CA's for each
office so that each office can hand out certificates which are then
trusted by all other offices.
What they mean is you wouldn't be validating against a single cerficiate
or a certain known certificate.
Your client would accept all server certificates as valid that derive
from a central CA, that you can be yourself.
Also, I'd recommend to put the VPN clients in a separate DHCP pool /
IP range, in which case it does not really matter if a laptop obtains
an extra IP address. That way, a laptop may receive an VPN IP address
but dependent on routing metrics the LAN connection would prevail.
If you need more control than this, then this would require a wrapper
around OpenVPN itself.
This is a great idea.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
