On Mon, Apr 4, 2011 at 19:58, Brock Noland <brockn at gmail.com> wrote:
> I have never used openvpn before and I am a VPN noob in general.
>
> My private network is 192.168.0. I was thinking of using the default
> 10.0.8 open vpn network.
>
> 1. Does that make sense, ie should openvpn be configured as the same
> network as my private network?

You can bridge your current network (ok if both ends have decent
bandwidth) or you can route (preferred) but you need to enable ipv4
forwarding and iptables, not particularly hard though.

> 2. If I go forward with the current configuration,I assume whenever I
> am on the road and I happen to be using a network which gives either
> ranges, I will be out of luck?

sort of, there are ways in openvpn around it by dynamically
translating the network. however generally speaking you want to use a
network that is not generally used. (instead of 10.0.8/24, try
10.242.165/24 for example, people tend to forget that 10 is a /8)

> 3. I assume I should not use static keys?

you should use both, a static shared key(ta.key in openvpn) and then
openssl PKI for session authentication. you can even add a third layer
of authenticating against pam if you are so inclined. For a more
secure setup you can use a CA for the clients that is completely
different from the CA that signs the server so that you have cross
authentication going on.

openvpn comes with easyrsa, a good openssl CA management suite.