I need to set up an OpenVPN network with two protected segments.
1) A developer network where all developers can reach each other machines. 2) A support network with two roles, supporter and client. Preferably clients can not initiate connections to the supporter, but the support can initiate connections to clients.
The easy way to set up this would be with two separate OpenVPN configurations, 2 key infrastructures etc.
However, I think this should be also possible with only one OpenVPN configuration, allowing people who are both supporter and developer to use only one certificate for both purposes.
How should I set this up?
(OpenVPN version 2.0.x, openSuse 11.1)
I've seen an openvpn deployment as server, where clients use pre-shared keys and certificates for authentication, with only one config file and each client with his certificate
further more, the traffic rules between the networks can be settled via netfilter
I'll try to install it this weekend and come up with a howto
@@@@ later edit
1 - follow http://www.openvpn.net/index.php/open-source/documentation/howto.html#pki for issuing certificates with the built-in tools of openvpn
2 - server config
3 - on the client side, along with ca.crt and user.(key,csr,crt)
you can have various settings starting from this schema, following openvpn's examples
Alternatively if the OpenVPN server is a Linux box, write some iptables rules to control the data flow.