2017-10-02 20:49 GMT+05:00 Xen <l...@xenhideout.nl>:
> Jan Just Keijser schreef op 02-10-2017 17:04:
>
> 2. Is there a way to have different OpenVPN servers share (or synchronize)
>>> the same certificates so we only have to create one certificate for each
>>> user to have access to all our OpenVPN servers worldwide? Or entirely
>>> validate through Active Directory only (probably combined with a single
>>> certificate)
>>>
>> yes. this is possible: you can have a single CA to hand out
>> certificates for all clients, or you can even create sub-CA's for each
>> office so that each office can hand out certificates which are then
>> trusted by all other offices.
>>
>
> What they mean is you wouldn't be validating against a single cerficiate
> or a certain known certificate.
>
> Your client would accept all server certificates as valid that derive from
> a central CA, that you can be yourself.
>
> Also, I'd recommend to put the VPN clients in a separate DHCP pool /
>> IP range, in which case it does not really matter if a laptop obtains
>> an extra IP address. That way, a laptop may receive an VPN IP address
>> but dependent on routing metrics the LAN connection would prevail.
>> If you need more control than this, then this would require a wrapper
>> around OpenVPN itself.
>>
>
> This is a great idea.
I do not think so.
consider a "road" warrior" with a laptop
1) when in office, usually you get 0.0.0.0/0 route, i.e. default
2) when connected via vpn, you get a bunch of routes via vpn and 0.0.0.0/0
via local ISP.
any non-default route will win because of shorter network mask no matter
what routing metric is.
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
