On 11/05/19 16:38, Heikki Hannikainen wrote:
Nate,
If you run your own VPN server, which is connected to the ipencap tunnel mesh, it is possible to further route subnets to VPN clients. So, technically, it is *possible*.
Possible, yes. I have done this in a corporate network setting.... BUT.
It's just not the intention of this particular VPN server to provide that service, as it would require custom configs to be edited and maintained for all clients wishing to get those subnets routed, and I don't have the time to do that for everyone. The VPN server in it's current form requires about zero maintenance (apart from operating system security upgrades) as I don't need to tell the server about all possible clients, it just trusts the LotW certificates and lets anyone with a valid cert & private key to connect.
Correct. Your approach saves you a lot of work in maintaining custom configs. They are a lot of work, if you have a lot of users. Fortunately, I only had a couple of subnets to route and a couple of single PC users, which wasn't too onerous. But a public or semi-public system is a different ball game, and your decision is a sound one from a sustainability POV.