[Openvpn-users] General question

[Steve Willis <openvpn@xxxxxxxxxxxxxxx>]

Greetings,

I rolled out my first OpenVPN test network this week, and it works 
great! Thank you very much to everyone who has donated their time and 
talents to this project.

My network is set up for tun connections. I have a few questions that I 
would appreciate some clarification on:

(1) Is access control based on IP address as described in the HOWTO 
(http://openvpn.net/howto.html#policy) safe? Is it reasonable to assume 
that the client will have no way of masquerading as another user by 
setting a static ip other than than the one assigned with ifconfig-push 
from the server?

(2) Many of my users share a common physical location that already has a 
real LAN setup. I want to make several Samba servers available to the 
VPN that are currently available on these LANs. I'd like to avoid the 
overhead of routing traffic through our offsite OpenVPN server for 
accessing Samba shares that are already on a user's LAN. Is there a way 
 to ensure that when a Samba share name is available via the VPN and 
LAN, the LAN is chosen as a route? Note that I don't want to do any 
permanent routing on the client side, because many users will want to 
connect their laptops both in and out of the office, and I'd like the 
network to always "just work". (I realize this is really a Samba 
question, since OpenVPN IP addresses are unambiguous, whereas share 
names are not...)

(3) Is there a way to ensure that Windows XP users can't accidentally 
bridge the TUN device to an insecure LAN? For example, if a user is 
using their laptop at a cafe, can I be sure that they can't accidentally 
expose the private network to the public wireless network?

Thank you in advance for any advice and tips you might have. Best regards,

Steve

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users