Hmmm as soon as a remote computer is inside our network it has a 175.* IP. There really is no MAC adress connected to it? Different network layer, ok...
This question came up as someone hinted that it could be possible to install the VPN client on an internet cafe computer somewhere in the world... somehow there must be a way to avoid that.
it could be possible to install the VPN client on an internet cafe computer somewhere in the world... somehow there must be a way to avoid that.
That's kind of the point of VPNs... but maybe you should look into doing 2-factor auth, where one of the factors is an client-side cert... that ought to stop most of your users as they might not know how to install the cert, but it'd mean you'd have to do the installations on all the valid client machines.
I don't know if Astaro supports client certs, but I think I've seen it mentioned here.
Another option is Network Access Control (NAC) using something like the Cisco "Clean Access Agent" where they can connect into the VPN, but they are "trapped" in a DMZ until the agent reports the computer has valid AntiVirus, etc.
There are different names and methods for this, but they often use some sort of 802.1x system.
Astaro probably doesn't have anything built-in, but it is probably possible to use an 802.1x system internally, and still have Astaro terminate the VPN.
