Hi everyone,
I have been using OpenVPN in a small environment with around
20 road-warriors and everything is working nicely. I am now going to expand
this project to the whole company. My estimates
are that there will be around 1000 users. I expect to have no more than 100
connected simultaneously. I
currently use dev TUN and plan on keep using it. I would like suggestions on
the best way to implement this. Here are my ideas:
Key Management:
Since the windows OpenVPN Gui has My Certificate Wizard, I
will ask all users to send a csr for the root ca to sign. The root ca will be an
isolated machine with no network connections. In addition to using
certificates, I plan to use a user/password authentication scheme. In order to
do this I will need to use the following parameter in my server.conf file: --auth-user-pass-verify
./script. I currently don’t use any crl lists. My user control is based
on ccd-exclusive directive.
IP Management:
Curently all my users have fixed IP addresses configured
with individual ccd files. My server runs a firewall which controls all user
access based on their IP address. In my mass implementation I will have to use IP
address pools base don user profiles. I plan on having several different
profiles, each with a different IP address pool so that I can control all
access with a firewall on the server.
Here are the points I am not so sure how o accomplish:
- How do I make the auth-user-pass-verify script?
- If I use a crl list to revoke certificates can I unrevoke
a certificate if the user should regain access? If not can I issue a new
certificate with the same common name?
- How do I make different IP address pools for groups of
users and how do I identify a user as a member of one pool or another?
- Since I am going to have two servers, how will I accomplish
load-balancing/failover? Here’s my doubt: Since I have static routes in
my main router pointing to the VPN servers, I would need to have different IP
address pools to accomplish routing succesfully?
Thanks for veryone who can help.
Maurício