From: Adam Flinton 

Richard B. wrote:
> On Sat, 18 Dec 2004 00:10:22 +0000, Adam Flinton
>  wrote:
>
>
>>If need be a vpn tunnel even when if the office i.e. default access to
>>the lan is through a vpn tunnel even while you are in the office.
>
>
> That's a good idea for all of these users who will have remote access.
>

I always have 2 tunnel devices running on my work laptop in addition to the
real eth device which may be attuned to the customer's lan. Home &
work.

The nice thing about openvpn is that it runs on a single port & thus
that can be.....tunneled in itself. I have a usefull java class which can
tunnel anything as http. If my laptop has http to the world (even if via a
proxy) then I have vpn/ssh to the world.

>
>>Does he (& the other mobile types) set his own IP address manually
>>everytime he comes into the office? Or is it a dhcp thing?
>
>
> His is set.
>

So he'd not know.

Do it incrementally. first off create a gateway which links
"fixed" with "mobile". Test it. Then create a
fixed/known good mac list & make the dhcp give out a given set of addrs
if the mac is on that list & a different set of addrs if not on the
list.

No change to Boss guy at the mo.

Then decide what you wish to place at the gateway in terms of filters etc.

>
>>make it simple & keep it simple & the holes get fewer.
>
>
> Hey, I'm stupid so simple is what I know. 
>

It's amazing how "would it be great if" ideas suddenly crop up.
Resist the exceptions.


Adam


> Thanks, Adam.
>
> - Richard

--- BBBS/NT v4.01 Flag-5