On Sat, 24 Jul 2010 12:30:09 -0700 Alex T wrote:
> I have 2 suggestions regarding openvpn (client mode):
> - the use of SHA512 with the TLS ciphers
OpenVPN does not implement any encryption; it relies on OpenSSL. So, if
the OpenSSL library used by OpenVPN supports it, so does OpenVPN.
> - some kind of route / firewall manipulation for the Windows client.
> If the client is set up to route all Internet traffic via the VPN,
> sometimes when the internet (especially the wireless connection) is lost,
> all the internet traffic is using the local link, not the VPN ... this
> might become a security issue. I saw a different VPN client (paid
> version, NCP secure IPSEC client is called) that , on startup, if the
> current profile is set to route all traffic via the VPN, manipulates the
> Windows routes , deleting the default gateway and routing only the VPN
> server ip to the local gateway. If the VPN tunnel is not up, then the
> Internet won't work.
If I understand you correctly, you may try pushing
redirect-gateway
instead of
redirect-gateway def1
to the client. The former overwrites the default gateway rather than
creating the two /1 routes.
However, I'm not sure about what happens if the VPN goes down (ie, leave
routing table as it is - which is what you want - or restore old default
gateway?) You can find out quite easily by just trying.
--
D.