Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: spott on April 02, 2012, 08:07:12 am
-
Hi
I am setting up right now two Zentyal gateways.
These two getaways have VPN tunnel between them.
But I want to add some normal VPN clients also. Question is - is OpenVPN for this good? As I looked - normal OpenVPN doesn't have any password protection. All information is inside certificates. And now - when laptop is stolen - then new owner can simply start the OpenVPN service and he is connected to company network. No password - nothing.
Maybe is better then to use for these clients other VPN solution?
Whats are suggestions?
-
What you can do is configure 2 VPN servers. 1 for the Zentyal to Zentyal tunnel and 1 for the standard VPN clients.
As far as the normal VPN clients are concerned, I would always create a separate certificate for every user. When a user leaves the company, you don't have to revoke the 1 certificate and leave all your other users without VPN connection.
-
But is it possible to add additional password protection also?
-
As far as I understand, and although this can be done with OpenVPN but not via Zentyal GUI, mixing authentication mechanisms, and furthermore, stacking it (that would be to relies on certificate plus password) is not feasible.
There is no real drawback with certificate based authentication "only" except the administration overhead when it comes to renew it or create a new one when certificate get compromised.
As you rightly point it, user password is at certificate level and valid certificate will always allow authentication :o
Hopefully, there is a CRL mechanism ;D
-
You could always use PPTP instead for your individual users.