[Openvpn-users] Re: Own DNS system on company intranet?

[Matt Bostock <matt@xxxxxxxxxxxxxxx>]

Mike Meyer <mwm-dated-1149551335.86eba5 <at> mired.org> writes:
> Yes, that's right. If you want to let authorized remote
> users access your internal network, while keeping non-authorized
> external users from getting to the same, then a VPN is the right
> solution.
>

Just to give you a more complete idea of what I'm looking to achieve, please see:
http://openvpn.net/howto.html#policy

I want to authenticate my staff on the internal network by assigning them a
specific IP address each (or within an IP range), and then setting the server
daemons to listen only to certain authorised IP ranges. Would that be vulnerable
to IP spoofing? Would I need to make sure that different groups of staff are on
different subnets?

> The split dns mechanism that others have mentioned will keep those
> names from being visible to the outside world.  dnsmasq can do all of
> this for you, either with a TLD you made up, or with your real domain
> name and names that are only internally visible.

dnsmasq looks like a nice solution. I'm wondering why I need a DHCP server
though; does OpenVPN not assign each VPN client an IP for its IP pool? Or would
I be correct in saying that the DHCP server is necessary in order to assign an
IP from the server-side LAN? If so, which interface is assigned that IP?
 
> Note that if your VPN allows the client machines to be on more than
> one LAN (and if you think it doesn't allow that, you're probably
> wrong), configuring the client DNS to let you look up internal names
> on all the LANs you are on is interesting, to say the least.

Could you elaborate on this, I'm not sure what you mean?

Thanks again,
Matt :)





______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users