[Freeipa-users] Give laptops bidirectional anywhere access to freeipa and /home/
Rob Townley
rob.townley at gmail.com
Wed May 12 17:24:00 UTC 2010
The main difference between tinc vpns and traditional vpns is that
tinc is bidirectional and does not require the user to enter a
username password. So if the computer is turned on, the remote
machine is reachable by the IT department. If it is a windows
machine, you may want to verify antivirus signatures are up-to-date.
FusionInventory could be used to push software.
Yes, it is a machine level as opposed to user level vpn. tinc would
have to run all machines to make it the easiest to use. With freeipa,
that could be easy.
The keys currently are RSA public / private keypairs.
Does not have existing code to work with ldap / kerberos as far as i know.
On 5/12/10, Christian Horn <chorn at fluxcoil.net> wrote:
> On Tue, May 11, 2010 at 04:42:26PM -0500, Rob Townley wrote:
>> Microsoft is touting "Direct Access" as a main reason to upgrade to
>> Win2008R2 / Win7.
>
> All i see there functionalitywise can be provided by a vpn-endpoint
> using kerberos/ldap for authentication/authorization.
>
> As a feature i read 'use homeshare without using the vpn' but in the
> end its just 'using a remote filesystem using the computer principal
> for authentication'.
>
>
>> HOW:
>> Use existing cross platform tunneling and tap devices for LinMacWin -
>> very well tested. Comes with tinc-vpn.
>> tinc-vpn for the virtual IP addresses. These are secondary IP
>> addresses all machines would have.
>> dynamic dns port numbers stored in bind's SRV or TXT records for easy
>> configuration.
>> tinc-vpn keys stored in dns KEY record for key management.
>> tinc-vpn can use IPv6 if needed.
>> tinc-vpn for the encryption now, ipSec later?
>>
>> FreeIPA provides the centralized management infrastructure that
>> tinc-vpn like solutions are missing.
>
> If tinc can already work using kerberos/ldap for authentication/au-
> thorization then you could create a howto or maybe tinc-package with
> the appropriate libraries.
> This would then add vpn-endpoint functionality to freeipa.
>
>
> Christian
>
More information about the Freeipa-users
mailing list