Version 16 (modified by jacalvo@…, 2 years ago) (diff)

--

OpenVPN

Behaviour and Interface Problems with Expired and/or Revoked Certificates

You can reach this situation when a certificate used by a OpenVPN daemon is revoked or expired.

You get errors when initializing the OpenVPN Module but it is necessarily more verbose.

You get also this bad behavior: an error in OpenVPN certificate terminates the initialization sequence so the correct daemons started before will be running and the rest will not be started

Bundle Filenames Should Include the CN of the Client Certificate

DHCP Options for VPN Servers

It could be a good idea to allow the setting of DHCP options in VPN servers. They are described by OpenVPN man page as follows: 

--dhcp-option type [parm]
              Set  extended TAP-Win32 TCP/IP properties, must be used with --ip-win32 dynamic.  This option can be used to set additional TCP/IP properties on the TAP-Win32 adapter, and is particularly
              useful for configuring an OpenVPN client to access a Samba server across the VPN.

              DOMAIN name -- Set Connection-specific DNS Suffix.

              DNS addr -- Set primary domain name server address.  Repeat this option to set secondary DNS server addresses.

              WINS addr -- Set primary WINS server address (NetBIOS over TCP/IP Name Server).  Repeat this option to set secondary WINS server addresses.

              NBDD addr -- Set primary NBDD server address (NetBIOS over TCP/IP Datagram Distribution Server) Repeat this option to set secondary NBDD server addresses.

              NTP addr -- Set primary NTP server address (Network Time Protocol).  Repeat this option to set secondary NTP server addresses.

              NBT type -- Set NetBIOS over TCP/IP Node type.  Possible options: 1 = b-node (broadcasts), 2 = p-node (point-to-point name queries to a WINS server), 4 = m-node (broadcast then query name
              server), and 8 = h-node (query name server, then broadcast).

              NBS  scope-id  -- Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS
              scope ID is to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID.  The NetBIOS scope ID is a character string that is appended to the  NetBIOS
              name.  The  NetBIOS  scope  ID on two hosts must match, or the two hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use the same computer name, as they
              have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique.  (This description of NetBIOS scopes courtesy of NeonSurge@abyss.com)

              DISABLE-NBT -- Disable Netbios-over-TCP/IP.

              Note that if --dhcp-option is pushed via --push to a non-windows client, the option will be saved in the client’s environment before the up script is called, under the  name  "foreign_option_{n}".

To supply better Zentyal integration, these parameters may be gathered from DHCP Module where an interface is configured to serve IP addresses or configure them manually.

These options ease road warriors access to LAN DNS resolver, search domain, and file sharing server address.

Change Routing Protocol to RIP Version 2, or Even Better, OSPF

ripd is using unauthenticated RIP Version 1. This version has security problems (route injection), does not support variable subnetting, and has a poor set of options.

I think it is better to change it to RIP Version 2 or even better OSPF.

Check of the VPN network

You shouldnt be allowed to choose a network we know is in use like the network interfaces or another VPN network

VPN server in bridged mode

This will help you to ease the usage of CIFS protocol without knowing about IP addresses or names.

More info is available at  http://forum.zentyal.com/index.php?topic=2507.msg10874 and  http://forum.zentyal.com/index.php?topic=2609.msg11428#msg11428

Use of external certificates in VPN server configuration options

For Medium/Big? companies having their own CA:  http://forum.zentyal.com/index.php?topic=3136.msg13619#msg13619

PKCS12 Certificate Export

Suggestion from:  http://forum.zentyal.com/index.php?topic=3196

Done!

Use a bundle with PKCS12

To set a password as an additional method of security.

Suggestion from:  http://forum.zentyal.com/index.php?topic=1646

Support fixed client IP in VPN server config

Support fixed client address via client-config-dir openvpn's config directive.

This would add an entry to server configuration page, and if present a list of know clients and assigned IP, to build up a directory and a file for each client via ifconfig-push directive.

Additional DNS dhcp-options for bundles

Add a drop-down list to select domains and dns server address to be included in client config files:

push "dhcp-option DNS 10.10.10.3" push "dhcp-option DOMAIN zentyal.org"

Suggestion from:  http://trac.zentyal.org/ticket/2436