On Mon, Apr 4, 2011 at 19:58, Brock Noland <brockn at gmail.com> wrote: > I have never used openvpn before and I am a VPN noob in general. > > My private network is 192.168.0. I was thinking of using the default > 10.0.8 open vpn network. > > 1. Does that make sense, ie should openvpn be configured as the same > network as my private network? You can bridge your current network (ok if both ends have decent bandwidth) or you can route (preferred) but you need to enable ipv4 forwarding and iptables, not particularly hard though. > 2. If I go forward with the current configuration,I assume whenever I > am on the road and I happen to be using a network which gives either > ranges, I will be out of luck? sort of, there are ways in openvpn around it by dynamically translating the network. however generally speaking you want to use a network that is not generally used. (instead of 10.0.8/24, try 10.242.165/24 for example, people tend to forget that 10 is a /8) > 3. I assume I should not use static keys? you should use both, a static shared key(ta.key in openvpn) and then openssl PKI for session authentication. you can even add a third layer of authenticating against pam if you are so inclined. For a more secure setup you can use a CA for the clients that is completely different from the CA that signs the server so that you have cross authentication going on. openvpn comes with easyrsa, a good openssl CA management suite.