Steve Crook wrote:
I have a scenario where Alice is located on an untrusted network, she
connects to a server in a Data Centre which is located behind a DMZ.
For contractual reasons, the server keeps audit logs and must see
Alice's real incoming IP address.
I want to encrypt Alice's traffic from the point it leaves her
workstation to a point within the Data Centre DMZ, *without* losing
auditability of Alice's connection. Is this possible?
If I understand your problem correctly, I certainly think so.
Whichever system is running the OpenVPN daemon inside the data centre
knows both Alice's real IP and her address used inside the tunnel. The
easiest approach, if it works for 'yall, would be simply to log those
pairs for later correlation, or perhaps expose them to other systems
within the trusted network for real-time correlation.
I use DNS to expose this information. When the user foo connects,
"foo.vpn.mycompany.com" is set to their VPN address and
"foo.external.mycompany.com" is set to their real address; reverse
mapping entries are also made for the VPN address. Thus, anyone who
wants to know the external address someone is coming to over the VPN
merely reverses them to foo.vpn.mycompany.com and does a forward lookup
on foo.external.mycompany.com... and there they are.
Does this adequately address your problem?
Openvpn-users mailing list