Jan Just Keijser schreef op 03-10-2017 10:52:
Actually, this is not a requirement. You can set up a PKI (Public Key Infrastructure) like this:
Root CA ---- Server sub-cA --- Server cert
Yes and you can have more than one Server cert.
| +-------- Office 1 sub-ca --- Office 1 clients | +-------- Office 2 sub-ca --- Office 2 clients
You can also use a client-connect script to NOT push out a default gateway if a client is on a (trusted) LAN; that way, the clients will still have a VPN IP address, they simply won't route any traffic over it by default.
I assumed this would be the case. I don't think you want to connect to the internet via your company VPN whenever and wherever you use it, but rather to only have access to company networks right?
I think what that other person meant was that a 0.0.0.0 route would get trumped by more specific subnet routes.
My only suggestion was that it was easy enough to give out specific subnet routes for the company, which can then have a lower metric than the equally specific subnet routes obtained via VPN.
Ie. you already get routes when you connect to DHCP. If your laptop then connects to VPN as well, you get the same routes twice. (Of course you could also not send out those routes over VPN when the client is connecting from the company LAN).
But there are just a myriad of solutions that all seem pretty reasonable.
There is no need to crack down on any of it. This is feasible. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users