On 17.08.23 14:12, Jason Long wrote:
It is even better if each server has its own separate keys.
You didn't mention setting up multiple servers yet IIRC, but yes, same best practice there ... in principle.
However, if you plan to instruct the clients to contact "*any* of servers you find available" (e.g., by Round Robin DNS), you need them all to pass the *exact same* server cert verification (like per "verify-x509-name ..."). That *might* justify having multiple servers use the same cert(s).
If the clients all use the same keys, then we can block any client based on the IP address. It is true?
The design decisions you've made so far suggest that your VPN clients will connect to the server from elsewhere than the site hosting your server - maybe not just any random StarDonalds at Shady Mall, but are you sure that you really can reliably identify them by their (public) IP? Will you personally deliver them to customer sites and nail them to a load-bearing wall?
1- Is there a tool to facilitate key generation for a large number of clients?
Yes, several. And I wouldn't have too much of a problem scripting such a run with nothing but bare OpenSSL, but.
The point is that you need to bring those client cert+keys *onto the clients*, not just once, but everytime the previous client cert approaches the end of its validity period. You need a PKI solution that doesn't just chuck new certs onto a local disk, but can feed it into whatever mechanism you use to keep the clients updated. And *then* one of these two systems needs to keep tabs on which clients *should* get a new cert (customers can terminate their contracts with you ...) and when.
2- I've heard that OpenVPN can be configured to work with username and password instead of key-based authentication. Is this possible and recommended?
I guess it's possible, but I don't run any such setup and thus can't comment on it.
3- About the CN name, if I forget it, then if I open the "ca.crt" file and click on the Details tab and check the Issuer section, then this is the name that I have entered during generating the key?
No. The name you enter during generation of keypair and cert goes to the cert's *Subject*, the Issuer is determined by the CA you use to sign the cert.
4- If CN's name is Server, then I must change the ccd directory to Server? Am I right?
If that's what the Subject CN of the cert you want to use as a client cert says, then yes, that's it.
Of course, looking at a file "ca.crt" and seeing a CN "Server" for what is supposed to be the *client's* cert is botched twelve ways to Gehenna and back and will perpetually confuse anyone trying to debug your final setup ...
In which part of the document is this said? https://community.openvpn.net/openvpn/wiki/HOWTO
"The client must have a unique Common Name in its certificate ("client2" in our example) [...] The next step is to create a file called client2 in the ccd directory."
https://community.openvpn.net/openvpn/wiki/HOWTO#IncludingmultiplemachinesontheclientsidewhenusingaroutedVPNdevtunIt doesn't explain how to look up the CN of a certificate from a file containing it, though, because it assumes that you made sure to have it created and installed in the correct location with the intended CN "client2" beforehand and don't *need* to check "now which cert did this client happen to end up with?".
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
