Is Dual Alternative authentication (User/Pass OR Client Certificate) possible with Open VPN?
Apologies for answering my own question. The more I look at this the more it's clear that running two separate instances of OpenVPN on the same box is the right answer. For the LAN to LAN I plan to deal with the routing using RIP2. For the clients this isn't appropriate.
So the options will be different on a number of points:
RIP is clearly something which I must firewall against the users to prevent them borking up the network. Two separate instances of openvpn would operate on two separate internal (VPN) subnets and would be easier to firewall between them.
Different authentication mechanisms as mentioned in the question mean that
auth-user-pass-verify
andclient-cert-not-required
will be used for the users and not for the LAN to LANclient-to-client
is acceptable for users. There really isn't a good reason to prevent this as it allows nothing that's not possible when the same users happen to be in the office. Howeverclient-to-client
would produce strange results with RIP2.push "redirect-gateway def1 bypass-dhcp"
is appropriate and necessary for the users. Because they don't RIP they will need to send everything through VPN server and allow it to route correctly. I can't imagine the hell that would be produced by enabling this for LAN to LAN.