On Thu, Aug 17, 2023 at 1:52 AM, Jochen Bern <jochen.b...@binect.de> wrote: On 16.08.23 23:28, Jason Long wrote: > 1- What is the difference between /etc/openvpn and /etc/openvpn/server > directories?
>The systemd "unit files" that define the >templates for the services you >"systemctl" later on used to expect all configs - >whether for a server >or a client instance - to be named >/etc/openvpn/SomeInstanceName.conf , >i.e., configs for both modes would sit together. >Later versions of >systemd-enabled OpenVPN split that into >/etc/openvpn/client and >/etc/openvpn/server , respectively. > I put my server.conf file in the /etc/openvpn >directory and it worked. >Then I'd say that your Debian 12 still uses the >old convention, as did >the how-to's Debian 10. (Over here, RHEL, >Fedora, and IIRC Ubuntu as >well take the new directories instead.) > 2- You said [...] make those unique ideally per >device, not just per > user. How to make it unique per user?If I >have 1000 clients, then > I must generate 1000 key files??? >Yes. By default, if several clients use the same >cert+key, they'll keep >pushing each other out of the VPN. Also, if you >need to shut clients out >of the service, revoking a cert is how you do it - >*all* clients using >that one cert will have their VPN access >disabled, so clients sharing >certs likely isn't what you want even if you >disable the former default >behavior. >Also note that with "server ..." specifying only a >/24 for an address >pool, and with Windows clients (so that you >can't use "topology p2p"), >your VPN server will actually be limited to 64 >simultaneous clients, >anyway. 1000 clients at once require at least a >/20. > 3- For the CA certificate, I must use "Server" >not "server". May I ask why? >I never said that. If anything, the CN of your CA >cert should mention >"CA" somewhere, and *not* "server", no matter >the capitalization. > Wed Aug 16 11:01:39 2023 VERIFY OK: >depth=1, CN=Server > Wed Aug 16 11:01:39 > >2023 VERIFY OK: depth=0, CN=server >This shows that your client presents a cert with >CN "server" as its >*client* cert (the procedure in the how-to >should result in a client >cert with CN "client"), which verifies OK against >a CA cert with a CN of >"Server" (the how-to suggests that it should be >"server", as misguided >as that seems). Hence, either your client uses >the *wrong* cert, or you >misnamed the certs as you created them (even >more than that how-to >instructs you to). >Anyway, in order to create a CCD file for your >client using the cert it >uses *now*, the CCD file would need to be >named "server". >Kind regards, >-- >Jochen Bern >Systemingenieur >Binect GmbH Hello Jochen,Thanks again. Your words are true and I had asked such a question before. It is even better if each server has its own separate keys. If the clients all use the same keys, then we can block any client based on the IP address. It is true? 1- Is there a tool to facilitate key generation for a large number of clients? 2- I've heard that OpenVPN can be configured to work with username and password instead of key-based authentication. Is this possible and recommended? 3- About the CN name, if I forget it, then if I open the "ca.crt" file and click on the Details tab and check the Issuer section, then this is the name that I have entered during generating the key? 4- If CN's name is Server, then I must change the ccd directory to Server? Am I right? In which part of the document is this said? https://community.openvpn.net/openvpn/wiki/HOWTO Maybe I didn't pay attention!
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
