On Thu, Aug 17, 2023 at 5:32 PM, Jochen Bern <jochen.b...@binect.de> wrote: >On 17.08.23 14:12, Jason Long wrote: > It is even better if each server has its own >separate keys.
>You didn't mention setting up multiple servers >yet IIRC, but yes, same >best practice there ... in principle. >However, if you plan to instruct the clients to >contact "*any* of >servers you find available" (e.g., by Round >Robin DNS), you need them >all to pass the *exact same* server cert >verification (like per >"verify-x509-name ..."). That *might* justify >having multiple servers >use the same cert(s). > If the clients all use the same keys, then we >can block any client > based on the IP address. It is true? >The design decisions you've made so far >suggest that your VPN clients >will connect to the server from elsewhere than >the site hosting your >server - maybe not just any random >StarDonalds at Shady Mall, but are >you sure that you really can reliably identify >them by their (public) >IP? Will you personally deliver them to >customer sites and nail them to >a load-bearing wall? > 1- Is there a tool to facilitate key generation for >a large number > of clients? >Yes, several. And I wouldn't have too much of a >problem scripting such a >run with nothing but bare OpenSSL, but. >The point is that you need to bring those client >cert+keys *onto the >clients*, not just once, but everytime the >previous client cert >approaches the end of its validity period. You >need a PKI solution that >doesn't just chuck new certs onto a local disk, >but can feed it into >whatever mechanism you use to keep the >clients updated. And *then* one >of these two systems needs to keep tabs on >which clients *should* get a >new cert (customers can terminate their >contracts with you ...) and when. > 2- I've heard that OpenVPN can be configured >to work with username and > password instead of key-based >authentication. Is this possible and > recommended? >I guess it's possible, but I don't run any such >setup and thus can't >comment on it. > 3- About the CN name, if I forget it, then if I >open the "ca.crt" file > and click on the Details tab and check the >Issuer section, then this > is the name that I have entered during >generating the key? >No. The name you enter during generation of >keypair and cert goes to the >cert's *Subject*, the Issuer is determined by the >CA you use to sign the >cert. > 4- If CN's name is Server, then I must change >the ccd directory to > Server? Am I right? >If that's what the Subject CN of the cert you >want to use as a client >cert says, then yes, that's it. >Of course, looking at a file "ca.crt" and seeing a >CN "Server" for what >is supposed to be the *client's* cert is botched >twelve ways to Gehenna >and back and will perpetually confuse anyone >trying to debug your final >setup ... > In which part of the document is this said? > >https://community.openvpn.net/openvpn/wiki/>HOWTO >"The client must have a unique Common Name >in its certificate ("client2" >in our example) [...] The next step is to create a >file called client2 >in the ccd directory." https://community.openvpn.net/openvpn/wiki/HOWTO#IncludingmultiplemachinesontheclientsidewhenusingaroutedVPNdevtun >It doesn't explain how to look up the CN of a >certificate from a file >containing it, though, because it assumes that >you made sure to have it >created and installed in the correct location >with the intended CN >"client2" beforehand and don't *need* to check >"now which cert did this >client happen to end up with?". >Kind regards, >-- >Jochen Bern >Systemingenieur >Binect GmbH Hello,Thanks again.Your answers raised other questions for me: 1- So, if we have multiple servers, then it is better that the servers have the same key, but each client has its own key. Am I right? 2- I can filter clients by MAC address, but MAC spoofing is another problem! 3- Can you introduce a tool to easily generate keys? 4- You said " You need a PKI solution that doesn't just chuck new certs onto a local disk, but can feed it into whatever mechanism you use to keep the clients updated.", which mechanism? 5- When I use "./easyrsa build-ca nopass", then it asks me "Common Name (eg: your user, host, or server name) [Easy-RSA CA]:", and as you said, better not to use "server" as name. For example, I entered "Jason_Server", then I must use "Jason_Server" in the "./easyrsa gen-req Jason_Server nopass" and "./easyrsa sign-req server Jason_Server" commands. Right? 6- Is this true for client too? For example, "./easyrsa gen-req client_name nopass" and "./easyrsa sign-req client client_name". _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
