(on autoselecting nearest VPN server on the globe)
Ø 1) Not built into OpenVPN, but it would be reasonably easy to write a small
script that would ping (or some other latency-measuring, hop-measuring, or
something-else-measuring method) all the servers and then construct an openvpn
config file snippet to be included in the main openvpn config.
That was my initial idea. But how would I get it to run before the OpenVPN
Service starts?
(on verifying with different servers)
Ø 2) That's already how certificates work. You shouldn't need to synchronize
anything other than your CA certificate and, periodically, your CRL. If you
want to *issue* certificates from different places, then you'd need to have a
CA hierarchy, but that's a matter of building your CA to suit your needs. Any
good reference on X.509 PKI will likely tell you more than you ever wanted to
know about this subject. But if you build it right, any certificate issued
from one of your CA's should be recognized as valid throughout your
organization instantly, with no synchronization needed, and should be able to
validate all of your servers.
Good point. I’d need to do some reading up, now got it going on the first
OpenVPN server by simply monkeying the steps in the manual.
(on not connection when the laptop is on the office LAN)
Ø 3) Once again, this isn't something that could be done within OpenVPN
itself, but if you're already going to write a script for #1, it'd be fairly
easy to add some logic to exit out if your IP address is within a list of
ranges.
I’d have to hire a programmer to write a separate service that wraps around the
OpenVPN service, probably.
But I can hardly imagine that I’m the first person to want such a setup. Are
any such wrappers or scripts existing?
I noticed there are a number of public VPN providers who provide internet
privacy by setting up a VPN between client and an anonymous internet
connection. Many of these use OpenVPN.
How do they do autoselect?
Someone suggested ‘fake VPN’ connections from within the office, with the only
drawback being users seeing VPN error messages.
I thought of another ‘dirty’ solution, but it will probably also generate lots
of errors on the road warriors’ laptops:
Suppose I create a separate dns entry openvpn.companyname.com on the public
(internet) DNS and configure my clients to connect to that, and then I could
create the same entry in the LAN’s (internal) DNS to point to a nonexisting
server, or a server declining the connection or not handing out IP’s.
But that is really dirty, right?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
