|
|
On Mon, 2006-04-03 at 21:52 -0400, William Warren wrote: > I know of a way to remotely connect a machine to a domain via lt2p. > What i want to know is there a way i can substitute openvpn for that so > that when you select the dial-in option it goes to the openvpn adapter > instead of initiating MS lt2p adapter? > I do not know how one would make it respond to the dial-in option. Perhaps someone else on the list has more experience in that. However, one can certainly replace the built-in Windows VPN with OpenVPN. For a large production rollout of the open source ISCS network security management project, we originally considered the Windows VPN either with L2TP or using only IPSec using lsipsectool (http://sourceforge.net/projects/lsipsectool). We found OpenVPN to be a dramatically superior solution. There is a chart comparing the two solutions in the documentation section of the ISCS tarball (also available via the CVS). However, it would be a clearly OpenVPN solution with an OpenVPN application and icon. You may wish to include the following registry settings in your setup: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters \IsDomainMaster set to FALSE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters \MaintainServerList set to FALSE That should make browsing work if you have WINS set up properly (yes - even in a 100% Active Directory environment network browsing still depends on WINS or broadcast). If you want your users to be able to use OpenVPN fully even if they are a non-privileged (non-administrator) user, you can adapt the following from our internal documentation: We were dissatisfied with the some of the user limitations of OpenVPN. If the user did not have administrator privileges, we seemed to be left with two choices: 1. Install OpenVPN as a service. This has two major disadvantages â all the configs are started at once which eliminates the ability to choose individual configurations and one cannot encrypt and password protect the private key. It also requires using something like subinctl to give the user the ability to control the service. [This may have been changed recently] 2. Allow a standard user to run OpenVPN using the RunAs feature. This requires entering the administrator password every time OpenVPN is started on Win2K. One can save the password in XP but it creates a security hole where users can potentially run other applications as the administrator. We worked around all these problems by using CPAU from http://www.joeware.net/win/free/tools/cpau.htm which allows us to encrypt the administrator password and use it only for OpenVPN. The OpenVPN installation must be run as an administrative user. The user is prompted if they want to run OpenVPN as a different (non-privileged) user. If so, they are prompted for the administrative user's password and the non-privileged user's ID. We install CPAU to the user's computer and then, during the installation routine, run the command: CPAU.exe -u <administrator user> -p <administrator password> -enc -hide -file OpenVPN.cpau -ex openvpn-gui.exe We then run OpenVPN from a batch file placed on the user's desktop and start menu which consists of the following single line: "C:\Program Files\openvpn\bin\CPAU.exe" -lwop -dec -file "C:\Program Files\openvpn\bin\OpenVPN.cpau" This allows the non-privileged user to run OpenVPN as a privileged user (and thus able to set OpenVPN routes as needed) without the above mentioned limitations. They can start and stop individual configurations and use encrypted private keys. Good luck - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx Financially sustainable open source development http://www.opensourcedevel.com ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-04/msg00039.html on line 265 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-04/msg00039.html on line 265 |