2017-10-02 17:01 GMT+05:00 Theo Fokkema <t...@goliathgames.nl>:
> Hi all,
>
> My first post to this list.
> A brief introduction, I am a sysadmin for a medium-sized company with a
> small dozen smaller and larger offices spread over the globe.
> Some years back I worked for a company that put linux servers in place in
> offices with Windows workstations and back then I started using OpenVPN. I
> fell for its capability to do bridged networking and to run as a Windows
> service, completely transparent, so end users didn't have to do a lot of
> clicks to end up on the office network, log on to the domain, access
> internal systems, printers etc.
>
> For my current employer I have deployed OpenVPN on Windows laptops for the
> same reasons. But as this is a larger scale operation, I run into some
> questions. I hope to find some ideas or answers here, as I can't find
> anything pointing me in the right direction in the manual or the FAQ.
>
> 1. I'd like to set up an OpenVPN server in each country office. All
> country offices have LAN-to-LAN connectivity with HQ and some also with
> their neigbouring countries office (through different means). We have a lot
> of travelers with laptops who visit different countries.
> Is there a way to provide OpenVPN with a list of servers, then have it
> determine which one is responding fastest (by measuring ping time for
> example?) and then connect to that server - and all of this without the
> user having to do a manual selection like choosing between different
> OpenVPN config profiles?
>
I think of two possibilities
1) (in theory, I never had a chance to implement it) anycast hosting. same
way that CDP of most world CA. i.e. the same network prefix being announced
via multiple internet exchanges (IX). user will pick the closest server.
2) (we use that for 5+ years) setup several servers, distribute several
configs to your users. people like to choose something (for example, this
is what people usually do in supermarket). it works. no issue for 5+ years.
>
> 2. Is there a way to have different OpenVPN servers share (or synchronize)
> the same certificates so we only have to create one certificate for each
> user to have access to all our OpenVPN servers worldwide? Or entirely
> validate through Active Directory only (probably combined with a single
> certificate)
>
> 3. I'd like to setup the laptops so that OpenVPN service always connects
> automatically. This would provide a transparent user experience from each
> internet connection. But is there a way to prevent OpenVPN from connecting
> when the users are at their home office or one of our other country
> offices? They have an IP address on the LAN then, in the same range that
> they would get as when their OpenVPN service connects to the bridge. This
> means that when connected to the LAN, the machines would get a double IP
> address in the same range, which is not necessary and may lead to IP
> address depletion on the DHCP server in the larger offices. How do I
> prevent OpenVPN from connecting when it's already 'home'/set it to connect
> only when the machine has a public IP address (or a private IP address on a
> different network)?
>
there are things like
https://github.com/OpenVPN/openvpn-gui/issues/77
after it is implemented, you can connect to LAN before login (probably,
even using computer certificate)
also, there're things to think about - people like to use laptops and move
from office to home and back. if they connect to vpn from home - it is ok.
but if they connect from office .. and you distribute routes via vpn, those
routes will pollute routing table.
first, we tried to block vpn connections from office (using dns). we got
many complaints "my vpn indicate it does not work!", so we installed fake
vpn instances, it works the same way as real one, but no routes are
distributed. people got redirected to it via firewall when they connect
from office.
it far from being perfect actually.
>
> Alternatively, we could offer only an internet connection on our office
> LAN and make the entire LAN connection through an always-on OpenVPN, but
> I'm afraid that it would make things as slow as the internet connection is
> (which would not work well for things like rapid file server access) and
> make the OpenVPN server a single point of failure for the entire LAN. It
> would help to keep guest laptops that get plugged in off our LAN though...
>
> Any ideas, experience, alternatives, scripts etc. are very welcome.
>
experience is very simple: put it to production. hear to your users. fix
things they are not happy about. iterate.
>
> Best regards,
>
> Theo Fokkema
> Digital Plumber
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
