| Version 12 (modified by jacalvo@…, 3 years ago) (diff) |
|---|
OpenVPN
Behaviour and Interface Problems with Expired and/or Revoked Certificates
You can reach this situation when a certificate used by a OpenVPN daemon is revoked or expired.
You get errors when initializing the OpenVPN Module but it is necessarily more verbose.
You get also this bad behavior: an error in OpenVPN certificate terminates the initialization sequence so the correct daemons started before will be running and the rest will not be started
Bundle Filenames Should Include the CN of the Client Certificate
DHCP Options for VPN Servers
It could be a good idea to allow the setting of DHCP options in VPN servers. They are described by OpenVPN man page as follows:
--dhcp-option type [parm]
Set extended TAP-Win32 TCP/IP properties, must be used with --ip-win32 dynamic. This option can be used to set additional TCP/IP properties on the TAP-Win32 adapter, and is particularly
useful for configuring an OpenVPN client to access a Samba server across the VPN.
DOMAIN name -- Set Connection-specific DNS Suffix.
DNS addr -- Set primary domain name server address. Repeat this option to set secondary DNS server addresses.
WINS addr -- Set primary WINS server address (NetBIOS over TCP/IP Name Server). Repeat this option to set secondary WINS server addresses.
NBDD addr -- Set primary NBDD server address (NetBIOS over TCP/IP Datagram Distribution Server) Repeat this option to set secondary NBDD server addresses.
NTP addr -- Set primary NTP server address (Network Time Protocol). Repeat this option to set secondary NTP server addresses.
NBT type -- Set NetBIOS over TCP/IP Node type. Possible options: 1 = b-node (broadcasts), 2 = p-node (point-to-point name queries to a WINS server), 4 = m-node (broadcast then query name
server), and 8 = h-node (query name server, then broadcast).
NBS scope-id -- Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS
scope ID is to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS
name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use the same computer name, as they
have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique. (This description of NetBIOS scopes courtesy of NeonSurge@abyss.com)
DISABLE-NBT -- Disable Netbios-over-TCP/IP.
Note that if --dhcp-option is pushed via --push to a non-windows client, the option will be saved in the client’s environment before the up script is called, under the name "foreign_option_{n}".
To supply better eBox integration, these parameters may be gathered from DHCP Module where an interface is configured to serve IP addresses or configure them manually.
These options ease road warriors access to LAN DNS resolver, search domain, and file sharing server address.
Change Routing Protocol to RIP Version 2, or Even Better, OSPF
ripd is using unauthenticated RIP Version 1. This version has security problems (route injection), does not support variable subnetting, and has a poor set of options.
I think it is better to change it to RIP Version 2 or even better OSPF.
Check of the VPN network
You shouldnt be allowed to choose a network we know is in use like the network interfaces or another VPN network
VPN server in bridged mode
This will help you to ease the usage of CIFS protocol without knowing about IP addresses or names.
More info is available at http://forum.ebox-platform.com/index.php?topic=2507.msg10874 and http://forum.ebox-platform.com/index.php?topic=2609.msg11428#msg11428
Use of external certificates in VPN server configuration options
For Medium/Big? companies having their own CA: http://forum.ebox-platform.com/index.php?topic=3136.msg13619#msg13619
PKCS12 Certificate Export
Suggestion from: http://forum.ebox-platform.com/index.php?topic=3196
