Re: [Openvpn-users] How to use ccd-exclusive statement?

Wed, 16 Aug 2023 07:57:43 -0700 

On 16.08.23 15:05, Jason Long wrote:

I used 
"https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-10/";
 tutorial to create my OpenVPN server.



(No date on the article ... no date on the comments ... OpenVPN version 
not shown anywhere ... according to one systemctl output, probably 
written in September 2019, when Debian 10 and OpenSSL 1.1.1c were in 
fact current ... still using /etc/openvpn instead of /etc/openvpn/server 
and /etc/openvpn/client, respectively ... no mention of doing a 
"systemctl enable openvpn@ConfigFileBaseName" on the server ... no 
explicit description of what the VPN set up is supposed to *do* 
(apparently: secure Inet access for a road warrior, no other servers at 
the site hosting the VPN peer, no communication back to the clients) ... 
no discussion of how he came to pick 10.8.0.0/24 for the tunnel IPs, how 
(far) to check for IP conflicts, how many clients you can accomodate 
with that /24 ...)



... word of warning: Just because the how-to doesn't ask you to enter 
something at



Common Name (eg: your user, host, or server name) [client]:


and later has you type in


./easyrsa sign-req client client



doesn't mean that you want all client certs to be named "client", or - 
even worse - use the same client cert for them all. Make those *unique* 
- ideally per device, not just per user.



However, if you worked along *that* how-to, your CA certificate is 
indeed using the CN of "server" (not "Server", but that might be a 
liberty that MS took). Exactly the same as the server cert. X-C



Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server





About the server log [...]
# cat /var/log/openvpn/virt1.log
2023-08-16 06:23:18 WARNING: --topology net30 support for server configs with 
IPv4 pools will be removed in a future release. Please migrate to --topology 
subnet as soon as possible.

[...]

2023-08-16 06:23:18 Initialization Sequence Completed



That shows us the startup phase of the OpenVPN server. In order to check 
what the server thinks about the cert the client presents, you'll have 
to have the client make an attempt to connect, and then grab the logs 
from *those* couple seconds.


Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users























					Reply via email to