I'm setting up a VPN network for multiple offices Using OpenVPN. This is dual purpose:
- LAN to LAN VPN allowing traffic to be seamlessly routed between offices.
- Allowing users to connect onto the network when they are out of the office.
This leads to the need for two separate authentication mechanisms:
- Client Certificate for the LAN to LAN
- Single Sign On User/Password (without client certificate) for the users.
According to the documentation:
auth-user-pass-verify
alone will require every user to provide Client certificate AND User / Passwordauth-user-pass-verify
andclient-cert-not-required
will reqire only the User / Password
Question: How can I I configure Open VPN to Authenticate some clients with just the client certificate and other clients with Just the User / Password?
Apologies for answering my own question. The more I look at this the more it's clear that running two separate instances of OpenVPN on the same box is the right answer. For the LAN to LAN I plan to deal with the routing using RIP2. For the clients this isn't appropriate.
So the options will be different on a number of points:
RIP is clearly something which I must firewall against the users to prevent them borking up the network. Two separate instances of openvpn would operate on two separate internal (VPN) subnets and would be easier to firewall between them.
Different authentication mechanisms as mentioned in the question mean that
auth-user-pass-verify
andclient-cert-not-required
will be used for the users and not for the LAN to LANclient-to-client
is acceptable for users. There really isn't a good reason to prevent this as it allows nothing that's not possible when the same users happen to be in the office. Howeverclient-to-client
would produce strange results with RIP2.push "redirect-gateway def1 bypass-dhcp"
is appropriate and necessary for the users. Because they don't RIP they will need to send everything through VPN server and allow it to route correctly. I can't imagine the hell that would be produced by enabling this for LAN to LAN.