|
|
Hello, I've successfully deployed OpenVPN for a small business, supporting Linux, Mac OS X, and Windows clients. It's working great! Lots of little technical hurdles to get through to get there (mostly because of my unfamiliarity with Mac OS X). So now I've been looking at the other options in OpenVPN, and wondering what the recommended configuration would be. Right now I have one beefy workstation set up as a server inside the LAN. It's a Red Hat 9 box. The firewall forwards a range of UDP ports to this server. I have set up 4 bridged tap devices and 6 tun devices. I'm using the sample init.d script to bring up all the configurations in /etc/openvpn, slightly modified to bring up the tap devices and bridge first. I expect no more than two or three remote VPN connections up at any one time. How much overhead do the waiting, unused openvpn daemons use, compared to changing to the xinetd configuration? Does it really matter at this low level of use? Which would you say is more scalable? It seems to me that the xinetd configuration might be a little more reliable, since a process that somehow dies would automatically start up at the next connection. Has anyone had OpenVPN daemons die? On Sat, 2003-12-13 at 11:58, James Yonan wrote: > (2) OpenVPN has several options including --user, --group, and --chroot to > lock down the OpenVPN process into an unprivileged state, so that if some > vulnerability led to a code insertion exploit, the exploit would be contained > and unable to elevate its privilege to root. > I have not enabled the user, group, or chroot options. I have set up the daemons with --ping-restart 60 --ping-timer-rem. Will the daemons restart correctly when run under a non-privileged user account? Thanks for some great software! Cheers, -- John Locke Open Source solutions for small business problems http://freelock.com |