Jan Just Keijser schreef op 03-10-2017 10:52:
Actually, this is not a requirement. You can set up a PKI (Public Key
Infrastructure) like this:
Root CA ---- Server sub-cA --- Server cert
Yes and you can have more than one Server cert.
|
+-------- Office 1 sub-ca --- Office 1 clients
|
+-------- Office 2 sub-ca --- Office 2 clients
You can also use a client-connect script to NOT push out a default
gateway if a client is on a (trusted) LAN; that
way, the clients will still have a VPN IP address, they simply won't
route any traffic over it by default.
I assumed this would be the case. I don't think you want to connect to
the internet via your company VPN whenever and wherever you use it, but
rather to only have access to company networks right?
I think what that other person meant was that a 0.0.0.0 route would get
trumped by more specific subnet routes.
My only suggestion was that it was easy enough to give out specific
subnet routes for the company, which can then have a lower metric than
the equally specific subnet routes obtained via VPN.
Ie. you already get routes when you connect to DHCP. If your laptop then
connects to VPN as well, you get the same routes twice. (Of course you
could also not send out those routes over VPN when the client is
connecting from the company LAN).
But there are just a myriad of solutions that all seem pretty
reasonable.
There is no need to crack down on any of it. This is feasible.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
