Hei folks,
I'm trying to come up with a strategies for using OpenVPN as a system
service (i.e. no user interaction required) and trusted networks.
The idea is to establish a VPN connection once the system boots on both
linux and windows as a background service.
However, when the end-device (mostly laptop) is already connected to a
trusted network (i.e. a VPN is not necessary and its routing
configuration might even clash with the local IP subnet) a connection
should not exist.
Although it looks easy to prevent initial connections to OpenVPN in such
a trusted network (--client-connect returning non-zero, DNS split
horizon, firewalling, etc.) I'm worried about roaming stations. I.e.
laptops that are put into hibernation or perform vertical handovers
(i.e. changing networks at the same place).
Intuitively, it might possible to implement on both the client and
server side.
-> Client: React to interface up / interface down events at the local
machine and check the domains supplied by the DHCP service (this could
be Microsofts Always On System is doing with IPSec).
-> Server: Check source-ip on re-connects due to roaming. Terminate
connection once the source-ip belongs to a certain network.
However, I haven't found any how-to or tutorial on actually implementing
this. What hooks / API is availble? For instance,
-> I'm worried about relying on "--ipchange", because if different
networks utilize the same RFC1918 subnet, the local station could
utilize the same host-id due DHCPREQUEST.
-> Is --client-connect actually called every reconnect, i.e. if a
connection is re-established due to client changing it's network. Or
does it "freeze" until a ping-timeout is reached.
Do you have any ideas here?
Thanks,
yanosz
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
