Hi,

On Tue, Jan 16, 2024 at 08:03:41AM +0000, Peter Davis wrote:
> 1- You said "I said that OpenVPN will (by default) disallow multiple logins 
> with the same client key+cert.", so if I generate a client key using the 
> commands below, then I can't use this key on multiple devices at the same 
> time?

This is the point.  The key uniquely identifies a client (device).

> # ./easyrsa gen-req <client name> nopass
> # sign-req client <client name>
> 
> I think you are wrong, I generated a client key using the command above and 
> was able to use it on multiple devices at the same time!!!

You can use it, but every connection with a given key will kick out all
*other* existing connections with the same key.  You can use "duplicate-cn"
in your server config to permit parallel connections with the same key,
but it is not recommended to do so.


> 2- I know that it is better for each client to have its own unique key. Now 
> if one of the clients share his\her key with others, then if I have used the 
> "--auth-user-pass" option, then two people cannot use the same username and 
> password to login at the same time if each client has its own unique key?

There is nothing "built-in" which would achieve this, but you can use
scripts (--client-connect, for example) to tie username and key together,
so if you see "client A" being used for "username B", you can either
disallow the connection, or get them fired for violating corporate
regulations.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to