On 11/3/2010 9:04 AM, Ross Walker wrote: > >> >> Errr, what issues does openvpn have? > > I'm no fan of any type of VPN as I think it's a way of extending your trusted LAN to an untrusted endpoint compromising internal trust levels, but if you are going to implement a VPN the type is of very little consequence (account/password is more likely to be compromised then traffic intercepted and decrypted) then the authenticating domain is. As always it's better to use internally generated certificates that are password protected then either passwords or certificates alone. Having said that these password protected certificates are a PITA to distribute to users and to support remotely. I've mostly used openvpn for nailed-up connections with shared secret keys and separate processes per connection where the configs are trivial to write. > You could have the gateway server use a separate database of users and passwords for those users allowed remote access, they authenticate with the gateway, then their IP address is added to a table of authorized clients to connect to the terminal services. As long as the gateway does HTTP TCP keepalive the IP is kept in the table, when the connection is dropped the IP is removed. If you are going to use a dedicated gateway you might look at clearOS which, I think, handles both openvpn and pptp with web setup and its own concept of user/certificate management out of the box. -- Les Mikesell lesmikesell at gmail.com