Re: [Openvpn-users] I have a question about Easy-RSA
Hi, On Sun, Jan 07, 2024 at 05:50:55AM +, Peter Davis wrote: > As you can see, I have moved the files to /etc/openvpn/server directory. Now > if I ignore the warning message above, what is the risk? You have still missed answering my question - "build a server", what does that mean? Reading the two possible answers to that should help you understand your own question better. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] I have a question about Easy-RSA
On 07.01.24 06:50, Peter Davis via Openvpn-users wrote: As you can see, I have moved the files to /etc/openvpn/server directory. Correction: You have copied SOME files to that directory, namely, those that the server needs. Now if I ignore the warning message above, what is the risk? Then you'll lose the content of those files that only the *CA* needs, and thus the ability to continue operating that (first) CA, in particular: -- You'll be unable to create a CRL, whether it is to actually revoke a cert or just to replace an expiring one. -- When the (first) server cert expires, you'll be unable to have a new one created by the same CA, thus requiring a config change on *every* client - wherever and in whosever hands it is - before it'll be able to connect to the VPN again. Kind regards, -- Jochen Bern Systemingenieur Binect GmbH smime.p7s Description: S/MIME Cryptographic Signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] I have a question about Easy-RSA
On Sun, 7 Jan 2024 20:22:49 +0100, Jochen Bern wrote: >On 07.01.24 06:50, Peter Davis via Openvpn-users wrote: >> As you can see, I have moved the files to /etc/openvpn/server directory. > >Correction: You have copied SOME files to that directory, namely, those >that the server needs. > >> Now if I ignore the warning message above, what is the risk? > >Then you'll lose the content of those files that only the *CA* needs, >and thus the ability to continue operating that (first) CA, in particular: >-- You'll be unable to create a CRL, whether it is to actually revoke a >cert or just to replace an expiring one. >-- When the (first) server cert expires, you'll be unable to have a new >one created by the same CA, thus requiring a config change on *every* >client - wherever and in whosever hands it is - before it'll be able >to connect to the VPN again. > Hello Jochen, this brings up a related issue I have wondered about and don't know the answer to: If you have a couple of OpenVPN servers operating off of certs and keys generated back in 2014 (like I have), then these are probably set to expire this year 2024 because I think that the easyrsa I used back then sets a 10 year life of these. What is the proper procedure to refresh these so the servers will continue to operate into the future? I assume there are things that needs to be done on the server side, right? But do you additionally have to create updated OVPN files for the clients as well? Or is there some other procedure that can be used? Or do you have to start over? -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] I have a question about Easy-RSA
On 07/01/2024 21:20, Bo Berglund wrote: [...snip...] If you have a couple of OpenVPN servers operating off of certs and keys generated back in 2014 (like I have), then these are probably set to expire this year 2024 because I think that the easyrsa I used back then sets a 10 year life of these. What is the proper procedure to refresh these so the servers will continue to operate into the future? The CA certificate can be renewed. That means the CA certificate will be updated, but keys already signed with that CA will still validate against it (because the public/private keys remains the same). A certificate is basically just some meta data (Subject, Issuer, date ranges of validity, etc) attached to a public key and a signature. A CA certificate is no different, except root CAs are self-signed. So renewing an existing certificate just updates the expiry date fields in the meta data section of the certificate and attaches a new signature to it. I assume there are things that needs to be done on the server side, right? That is correct. But also the client side need to be updated. "Everyone" need a new CA certificate to be able to properly validate the remote end. Also beware that client and server certificates typically are not valid longer than the CA. And that's why it's not uncommon to just start fresh with a completely new and fresh EasyRSA PKI setup. As there will be lots of work anyhow when the CA expires. As general recommendations with EasyRSA based setups, I would suggest: * Use an EasyRSA CA for one specific use case; like a single or a pool of collaborating OpenVPN servers intended. If you have a different use case in addition, use a separate EasyRSA setup for that. * Make the CA expire after the total expected lifetime of your servers. At some point you will upgrade the servers with a fresher setup, so plan the EasyRSA to have approximately the same lifetime (or slightly longer). Or chose 20 years (or your expected retirement date) as the CA lifetime ;-) * If you deploy OpenVPN in a more enterprise oriented environment, look at what kind of CA management that environment provides you and use that instead of EasyRSA. For example, FreeIPA provides infrastructure to be a CA with even automatically renewing server certificates for OpenVPN. Such environments will most likely have everything setup to ensure certificates are up-to-date and valid for the lifetime of that setup. With such a setup, the most painful part will be to distribute only new client configurations with new CA certificates for hosts/users not enrolled into the centralized CA infrastructure. Clients and servers enrolled into such a centralized CA infrastructure will get the CA certificates updated automatically as well. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] I have a question about Easy-RSA
> On Sunday, January 7th, 2024 at 10:52 PM, Jochen Bern > wrote: > On 07.01.24 06:50, Peter Davis via Openvpn-users wrote: > > > As you can see, I have moved the files to /etc/openvpn/server directory. > > > Correction: You have copied SOME files to that directory, namely, those > that the server needs. > > > Now if I ignore the warning message above, what is the risk? > > > Then you'll lose the content of those files that only the CA needs, > and thus the ability to continue operating that (first) CA, in particular: > -- You'll be unable to create a CRL, whether it is to actually revoke a > cert or just to replace an expiring one. > -- When the (first) server cert expires, you'll be unable to have a new > one created by the same CA, thus requiring a config change on every > client - wherever and in whosever hands it is - before it'll be able > to connect to the VPN again. > > Kind regards, > -- > Jochen Bern > Systemingenieur > > Binect GmbH > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users Hi, Thanks again. So: 1- What's the solution? 2- What do I need to do to build new servers using Easy-RSA? 3- What files do I need to copy from Easy-RSA so that I can safely delete the Easy-RSA directory? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Firewall rules and ports
> On Sunday, January 7th, 2024 at 1:00 AM, Antonio Quartulli > wrote: > Hi, > > On 06/01/2024 08:43, Peter Davis via Openvpn-users wrote: > > > Hello, > > 1- Is it possible to run all OpenVPN servers on one port? I currently have > > an OpenVPN server running with an IP address range of 20.20.0.0 on port > > 2024, now I want to run another server with a different IP address range on > > the same port as before. > > > Assuming you could have two daemons listening on the same port, where > should an incoming connection be sent to? > In any case, only one socket can be bound to a ip:port, therefore no, > you it is not possible to run multiple servers listening on the same port. > > > 2- Should every OpenVPN server have its own TUN? Can't run all servers on > > one TUN? > > > Each server is independent from each other, they do not communicate, > therefore each of them needs its own infrastructure, including the tun > device. > > > 3- I found the following firewall rules on the internet: > > > > # IF_MAIN=NIC_Name > > # IF_TUNNEL=tun0 > > # YOUR_OPENVPN_SUBNET=10.10.0.0/16 > > # iptables -I INPUT -p udp --dport 2024 -j ACCEPT > > # iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state > > ESTABLISHED,RELATED -j ACCEPT > > # iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT > > # iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j > > MASQUERADE > > > > Do I have to repeat the above firewall rules for each server? > > > Well, you are matching on YOUR_OPENVPN_SUBNET/IF_TUNNEL. IF those are > different for each server..then yeah, you need multiple rules. > > Cheers, > > > Thanks. > > > > ___ > > Openvpn-users mailing list > > Openvpn-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-users > > > -- > Antonio Quartulli Hi, Thanks again. 1- You said "IF those are different for each server..then yeah, you need multiple rules.", what does it mean? Is there a way I can set up multiple servers with the above firewall rules? Do you mean that if all my servers are in the IP address range of 10.0.0.0 then I just need to change the TUN name and port number? 2- As an OpenVPN expert, you want to set up 10 servers, can you share your firewall rules with me? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Limit the number of users based on the key
> On Sunday, January 7th, 2024 at 3:50 PM, Gert Doering
> wrote:
> Hi,
>
> On Sun, Dec 31, 2023 at 09:07:09PM +, Peter Davis wrote:
>
> > 1- How can I find out if a user has shared the key with others?
>
>
> You can't, unless you combine the VPN connect with some other auth
> mechanism ("username + password", etc.).
>
> But generally speaking, users will not do this, as OpenVPN will (by
> default) not permit two parallel connections with the same cert - so
> the second user will kick out the first, and vice versa. Unpleasant
> user experience.
>
> > 2- Can I use "--client-connect" with MAC address?
>
>
> OpenVPN will send the ethernet MAC address on the client PC that is used
> to reach the default gateway in the IV_HWADDR= address.
>
> BUT: if a user has wifi and ethernet, you'll see a different ethernet
> address depending on connection used.
>
> BUT2: this is an indication of "same computer" or "different computer",
> but is not 100% reliable if you have non-trustworthy users.
>
> > 3- Can I generate only one server key, but multiple client keys that use
> > that server key?
>
>
> This is how everybody else does it.
>
> Client keys do not "use the server key" though. Clients connect, the server
> presents a server certificate, which has to be signed by a mutally-trusted
> certificate authority (CA). This is what is "used", the trusted signature
> by a 3rd party.
>
> gert
> --
> "If was one thing all people took for granted, was conviction that if you
> feed honest figures into a computer, honest figures come out. Never doubted
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh Mistress
>
> Gert Doering - Munich, Germany g...@greenie.muc.de
Hi,
Thanks again.
1- So one of the benefits of using LDAP mechanism is that two users cannot use
the OpenOne server at the same time? I mean using openvpn-auth-ldap package.
2- Regarding the third question, I did not express my meaning well. Suppose
there are several departments in a company and you want to generate separate
keys for each department, in this situation each department must have its own
server and client keys. Is it right?
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
