(on autoselecting nearest VPN server on the globe)

Ø  1) Not built into OpenVPN, but it would be reasonably easy to write a small 
script that would ping (or some other latency-measuring, hop-measuring, or 
something-else-measuring method) all the servers and then construct an openvpn 
config file snippet to be included in the main openvpn config.

That was my initial idea. But how would I get it to run before the OpenVPN 
Service starts?


(on verifying with different servers)

Ø  2) That's already how certificates work.  You shouldn't need to synchronize 
anything other than your CA certificate and, periodically, your CRL.  If you 
want to *issue* certificates from different places, then you'd need to have a 
CA hierarchy, but that's a matter of building your CA to suit your needs.  Any 
good reference on X.509 PKI will likely tell you more than you ever wanted to 
know about this subject.  But if you build it right, any certificate issued 
from one of your CA's should be recognized as valid throughout your 
organization instantly, with no synchronization needed, and should be able to 
validate all of your servers.

Good point. I’d need to do some reading up, now got it going on the first 
OpenVPN server by simply monkeying the steps in the manual.



(on not connection when the laptop is on the office LAN)

Ø  3) Once again, this isn't something that could be done within OpenVPN 
itself, but if you're already going to write a script for #1, it'd be fairly 
easy to add some logic to exit out if your IP address is within a list of 
ranges.

I’d have to hire a programmer to write a separate service that wraps around the 
OpenVPN service, probably.
But I can hardly imagine that I’m the first person to want such a setup. Are 
any such wrappers or scripts existing?
I noticed there are a number of public VPN providers who provide internet 
privacy by setting up a VPN between client and an anonymous internet 
connection. Many of these use OpenVPN.
How do they do autoselect?

Someone suggested ‘fake VPN’ connections from within the office, with the only 
drawback being users seeing VPN error messages.
I thought of another ‘dirty’ solution, but it will probably also generate lots 
of errors on the road warriors’ laptops:
Suppose I create a separate dns entry openvpn.companyname.com on the public 
(internet) DNS and configure my clients to connect to that, and then I could 
create the same entry in the LAN’s (internal) DNS to point to a nonexisting 
server, or a server declining the connection or not handing out IP’s.
But that is really dirty, right?


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to