Author Topic: VPN questions  (Read 1754 times)

spott

  • Zen Apprentice
  • *
  • Posts: 30
  • Karma: +0/-0
    • View Profile
VPN questions
« on: April 02, 2012, 08:07:12 am »
Hi

I am setting up right now two Zentyal gateways.
These two getaways have VPN tunnel between them.

But I want to add some normal VPN clients also. Question is - is OpenVPN for this good? As I looked - normal OpenVPN doesn't have any password protection. All information is inside certificates. And now - when laptop is stolen - then new owner can simply start the OpenVPN service and he is connected to company network. No password - nothing.

Maybe is better then to use for these clients other VPN solution?
Whats are suggestions?

robb

  • Guest
Re: VPN questions
« Reply #1 on: April 02, 2012, 09:50:15 pm »
What you can do is configure 2 VPN servers. 1 for the Zentyal to Zentyal tunnel and 1 for the standard VPN clients.

As far as the normal VPN clients are concerned, I would always create a separate certificate for every user. When a user leaves the company, you don't have to revoke the 1 certificate and leave all your other users without VPN connection.

spott

  • Zen Apprentice
  • *
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: VPN questions
« Reply #2 on: April 03, 2012, 07:24:43 am »
But is it possible to add additional password protection also?

christian

  • Guest
Re: VPN questions
« Reply #3 on: April 03, 2012, 08:40:06 am »
As far as I understand, and although this can be done with OpenVPN but not via Zentyal GUI,  mixing authentication mechanisms, and furthermore, stacking it (that would be to relies on certificate plus password) is not feasible.
There is no real drawback with certificate based authentication "only" except the administration overhead when it comes to renew it or create a new one when certificate get compromised.
As you rightly point it, user password is at certificate level and valid certificate will always allow authentication  :o
Hopefully, there is a CRL mechanism  ;D

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: VPN questions
« Reply #4 on: April 05, 2012, 01:23:08 am »
You could always use PPTP instead for your individual users.