On 16.08.23 23:28, Jason Long wrote:
1- What is the difference between /etc/openvpn and /etc/openvpn/server directories?
The systemd "unit files" that define the templates for the services you "systemctl" later on used to expect all configs - whether for a server or a client instance - to be named /etc/openvpn/SomeInstanceName.conf , i.e., configs for both modes would sit together. Later versions of systemd-enabled OpenVPN split that into /etc/openvpn/client and /etc/openvpn/server , respectively.
I put my server.conf file in the /etc/openvpn directory and it worked.
Then I'd say that your Debian 12 still uses the old convention, as did the how-to's Debian 10. (Over here, RHEL, Fedora, and IIRC Ubuntu as well take the new directories instead.)
2- You said [...] make those unique ideally per device, not just per user. How to make it unique per user?If I have 1000 clients, then I must generate 1000 key files???
Yes. By default, if several clients use the same cert+key, they'll keep pushing each other out of the VPN. Also, if you need to shut clients out of the service, revoking a cert is how you do it - *all* clients using that one cert will have their VPN access disabled, so clients sharing certs likely isn't what you want even if you disable the former default behavior.
Also note that with "server ..." specifying only a /24 for an address pool, and with Windows clients (so that you can't use "topology p2p"), your VPN server will actually be limited to 64 simultaneous clients, anyway. 1000 clients at once require at least a /20.
3- For the CA certificate, I must use "Server" not "server". May I ask why?
I never said that. If anything, the CN of your CA cert should mention "CA" somewhere, and *not* "server", no matter the capitalization.
Wed Aug 16 11:01:39 2023 VERIFY OK: depth=1, CN=Server > Wed Aug 16 11:01:39 2023 VERIFY OK: depth=0, CN=server
This shows that your client presents a cert with CN "server" as its *client* cert (the procedure in the how-to should result in a client cert with CN "client"), which verifies OK against a CA cert with a CN of "Server" (the how-to suggests that it should be "server", as misguided as that seems). Hence, either your client uses the *wrong* cert, or you misnamed the certs as you created them (even more than that how-to instructs you to).
Anyway, in order to create a CCD file for your client using the cert it uses *now*, the CCD file would need to be named "server".
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
