On Mon, Aug 14, 2023 at 5:16 PM, tincantech <tincant...@protonmail.com> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Sent with Proton Mail secure email. ------- Original Message ------- On Monday, August 14th, 2023 at 14:13, Jason Long via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote: > Hello, > To increase the security of OpenVPN, I want to use the ccd-exclusive. --ccd-exclusive does not "increase the security of OpenVPN". What it does it to provide a server with a convenient way to temporarily, disable certain clients by client commonName. This convenience means that the client certificate does not need to be revoked. And the client can have access to the server restored simply by (re-)creating a CCD file. --ccd-exclusive means that the server will ONLY allow clients access if they have a CCD file in the folder configured by --client-connect-dir. > I googled it, but I could not find a good example. I just found the following > question: > > https://serverfault.com/questions/877201/limit-access-to-remote-server-via-particular-vpn I strongly recommend that your search starts with the Openvpn manual: https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html EVERY option is described in the manual. > But, I really don't know what to do. > I must create a directory under the "/etc/openvpn", then create a file with > the name of clients in it? For example, if my Windows client host name is > "Client-1", then: > > # mkdir /etc/openvpn/clients > # touch /etc/openvpn/clients/Client-1 > > Then, in server.conf: > > client-config-dir clients > ccd-exclusive > > Am I right? Yes. However, I strongly recommend that you learn the difference between "absolute paths" verses "relative paths". (Out of scope for this mailing list) > How about the client configuration? Do I need to add anything? No. Do exactly as the manual (above) describes. >HTH >tct Hello,Thank you so much for your help.I take a loot at "https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html";, but it only explained the capabilities of this option and did not provide any examples.I did:# mkdir /etc/openvpn/clients# touch /etc/openvpn/clients/Client-1Then, in server.conf:client-config-dir clients ccd-exclusiveBut, Windows client can't connect to the OpenVPN server and my connection restarted. Do I need to add something to the client configuration file? -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAnBYJk2jAcCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABp0wf/b8jrorfOi9WfhfRE8YvgGr7vbkwXlrofzEEdW7MVRWYv5/vm rpHrsVSzYV23PMMWUSGe0gWRRcSuJ4c2L6j1f0mQnXTEU3qXiyTUhwW5EnjL 9ARTeWRCeElIDs5DTOvPqNSqt1qqNAlRZmtYyVafJZNgpCdBQIADDY1Ih+7S hAPISxDe2nQ9+Yqzi8MpVqhf74ZCp/Zh3OQ6sKQhfmizS+BJ4S4crTqHgasB U5jNZAQgWNjD+2UlMTfpZj2GwbCcF3EZ42Qj4HgdSxJarAHpf1rPQ0NLHviC 9QnaYudaG4ZE9NBh5mmmCuyCbE2K8gMb7CZHnMyGpF2Ee2r/4kKWNA== =Hwqp -----END PGP SIGNATURE-----
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
