Hi, On Sat, Oct 24, 2015 at 7:12 AM, Jason Haar <jason_h...@trimble.com> wrote:
> On 22/10/15 20:50, Gert Doering wrote: > > I've heard people ask for "we need the VPN to be up before user login so > > windows domain login works!" - so the GUI won't be around yet. > > > > Now, not being a windows person and not running this domain stuff I'm > > not sure if there are other ways to achieve that - but this is what has > > been told to me... > I can confirm that is precisely the way we use openvpn. We use it as an > "always on vpn" and so it needs to be running via a service at boot > time. nssm works well for us in that regard > Sure, this is easily achieved if no user passwords are involved. As Gert pointed out, some people need more than this. For example, they want the ability to log on to a domain through the VPN while the latter requires user credentials to start in the first place. Some commercial VPN offerings have this feature (what Cisco used to call (and may be still calls) Start before logon. In recent versions of windows this could be probably achieved by integrating with Single Sign On or PLAP, may be.. We have a setup where users logon to a domain and openvpn needs the same domain user/password to authenticate through LDAP. But of course we don't have any Start before logon...-- just the service and MI-GUI. It still works ok because of cached credentials in windows. So the machine logs the user in using cached credentials, although the domain controller is not reachable yet. Then the GUI, set to autostart on logon, prompts for the vpn password which is finally passed through to the waiting openvpn through the MI. The repeated password entry is a minor pain, and possibly SSO could be used spare the user of that. Not sure how much coding is needed to integrate with SSO. However our use of domain is pretty dumb: just for smb shares and mapped drives which can wait until the vpn authenticates. User profiles are all local, not transferred from a central server. Although we are religious about not letting the domain controller take over us, that's not how domains are used in real windows world. So some people may really (really?) need the so called "Start Before Logon", implementing which may be much more work. Selva
