Re: [Openvpn-users] Select nearest OpenVPN server / shared userbase / Only connect if away from home

Tue, 03 Oct 2017 01:54:09 -0700 

Hi,

On 02/10/17 18:41, Илья Шипицин wrote:



2017-10-02 20:49 GMT+05:00 Xen <l...@xenhideout.nl <mailto:l...@xenhideout.nl>>:

    Jan Just Keijser schreef op 02-10-2017 17:04:

            2. Is there a way to have different OpenVPN servers share (or 
synchronize) the same certificates so we only have
            to create one certificate for each user to have access to all our 
OpenVPN servers worldwide? Or entirely validate
            through Active Directory only (probably combined with a single 
certificate)

        yes. this is possible: you can have a single CA to hand out
        certificates for all clients, or you can even create sub-CA's for each
        office so that each office can hand out certificates which are then
        trusted by all other offices.


    What they mean is you wouldn't be validating against a single cerficiate or 
a certain known certificate.

    Your client would accept all server certificates as valid that derive from 
a central CA, that you can be yourself.



Actually, this is not a requirement. You can set up a PKI (Public Key 
Infrastructure) like this:

Root CA  ---- Server sub-cA  --- Server cert
    |
    +-------- Office 1 sub-ca --- Office 1 clients
    |
    +-------- Office 2 sub-ca --- Office 2 clients


etc. All clients will need to trust the server sub-CA ; the server will need to 
trust the Root CA, and/or all office sub-CA's.



        Also, I'd recommend to put the VPN clients in a separate DHCP pool /
        IP range, in which case it does not really matter if a laptop obtains
        an extra IP address. That way, a laptop may receive an VPN IP address
        but dependent on routing metrics the LAN connection would prevail.
        If you need more control than this, then this would require a wrapper
        around OpenVPN itself.


    This is a great idea.



I do not think so.
consider a "road" warrior" with a laptop

1) when in office, usually you get 0.0.0.0/0 <http://0.0.0.0/0> route, i.e. 
default

2) when connected via vpn, you get a bunch of routes via vpn and 0.0.0.0/0 
<http://0.0.0.0/0> via local ISP.

any non-default route will win because of shorter network mask no matter what 
routing metric is.



You can also use a client-connect script to NOT push out a default gateway if a client is on a (trusted) LAN; that way, the 
clients will still have a VPN IP address, they simply won't route any traffic over it by default.


HTH,

JJK




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users























					Reply via email to