Hi,
I'd just like to document how we did it:
We use a full tunnel and also tunnel DNS fully to the corporate's DNS servers on the internal network.
This is the profile that allows for full Software/GPO deployment pre-logon on Windows 10.
C:\Program Files\OpenVPN\config-auto\COMPUTER.ovpn
clientdev tunproto udpremote vpn.company.com 443verify-x509-name "C=XXX, L=XXX, O=XXX, CN=vpn.company.com, emailAddress=XXX@company.com"route remote_host 255.255.255.255 net_gatewayresolv-retry infinitenobindpersist-keyauth SHA1comp-lzo noroute-delay 4verb 3reneg-sec 0data-ciphers AES-128-CBCpull-filter ignore "ping-restart "ping-restart 25pull-filter ignore "route "pull-filter ignore "redirect-gateway "redirect-gateway def1pull-filter ignore "dhcp-option DNS"dhcp-option DNS [TOFILL_CORPORATE_DNS_SERVER_1]dhcp-option DNS [TOFILL_CORPORATE_DNS_SERVER_2]register-dnsblock-outside-dnspull-filter ignore "dhcp-option DOMAIN"dhcp-option DOMAIN [TOFILL_CORPORATE_DOMAIN_TLD]auth-nocacheauth-user-pass [TOFILL_COMPUTERNAME].conf<ca>...[TOFILL_CA_CERT]...</ca><cert>...[TOFILL_MACHINE_CERT]...</cert><key>...[TOFILL_MACHINE_CERT_PRIVATE_KEY]...</key>
client
dev tun
proto udp
remote vpn.company.com 443
verify-x509-name "C=XXX, L=XXX, O=XXX, CN=vpn.company.com, emailAddress=XXX@company.com"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
auth SHA1
comp-lzo no
route-delay 4
verb 3
reneg-sec 0
data-ciphers AES-128-CBC
pull-filter ignore "ping-restart "
ping-restart 25
pull-filter ignore "route "
pull-filter ignore "redirect-gateway "
redirect-gateway def1
pull-filter ignore "dhcp-option DNS"
dhcp-option DNS [TOFILL_CORPORATE_DNS_SERVER_1]
dhcp-option DNS [TOFILL_CORPORATE_DNS_SERVER_2]
register-dns
block-outside-dns
pull-filter ignore "dhcp-option DOMAIN"
dhcp-option DOMAIN [TOFILL_CORPORATE_DOMAIN_TLD]
auth-nocache
auth-user-pass [TOFILL_COMPUTERNAME].conf
<ca>
...[TOFILL_CA_CERT]...
</ca>
<cert>
...[TOFILL_MACHINE_CERT]...
</cert>
<key>
...[TOFILL_MACHINE_CERT_PRIVATE_KEY]...
</key>
Hallo Thomas and welcome to the UTM Community!
I've moved your thread into the Recommended Reads forum.
Cheers - Bob