Is Dual Alternative authentication (User/Pass OR Client Certificate) possible with Open VPN?

openvpn

Apologies for answering my own question. The more I look at this the more it's clear that running two separate instances of OpenVPN on the same box is the right answer. For the LAN to LAN I plan to deal with the routing using RIP2. For the clients this isn't appropriate.

So the options will be different on a number of points:

  • RIP is clearly something which I must firewall against the users to prevent them borking up the network. Two separate instances of openvpn would operate on two separate internal (VPN) subnets and would be easier to firewall between them.

  • Different authentication mechanisms as mentioned in the question mean that auth-user-pass-verify and client-cert-not-required will be used for the users and not for the LAN to LAN

  • client-to-client is acceptable for users. There really isn't a good reason to prevent this as it allows nothing that's not possible when the same users happen to be in the office. However client-to-client would produce strange results with RIP2.

  • push "redirect-gateway def1 bypass-dhcp" is appropriate and necessary for the users. Because they don't RIP they will need to send everything through VPN server and allow it to route correctly. I can't imagine the hell that would be produced by enabling this for LAN to LAN.

Related

Postfix on IspCP cannot send to google apps mail if it is in the same domain
Sendmail disregarding mailertable
How to display a code of conduct/rules of use upon user login
iptables DNAT from loopback
Getting correct linefeeds in emails generated from linux
SQL Server 2008 - Secure remote access
Tomcat crashing after a few hours
Storing 64000+ files and growing in one folder (ext3)
bash script returns "out of memory" in cron, but not in shell
SQL Server 2005 Patch Corrupts SQL Installation on Windows 2003 Standard x64
SSH How to ignore checking IdentityFile?
Ubuntu Error 2002 “Can't connect to local MySql server through socket…”