On Tue, Sep 04, 2018 at 07:42:58PM -0400, Wayne Sallee wrote: > Has anyone set up OpenVPN with ssh-keygen -t rsa ? >
Technically, you can do that. In practice, you need to have a CA set up, of which easy-rsa is the simplest choice. Why? Revocation. Let's suppose you have an SSH server. Because you are cautious, you require SSH key auth. One day your laptop is stolen. It has an SSH private key on it, so you go over to ~/.ssh/authorized_keys and delete the matching public key. Good, you have secured your server against unauthorized use of your account. OpenVPN doesn't do that. OpenVPN assumes that any properly signed certificate is wonderful, and you can't get rid of one just by removing a cert entry on your side. Instead, you need to formally revoke the certificate, and keep it revoked until it reaches its expiration date. https://community.openvpn.net/openvpn/wiki/Hardening -dsr-
