>On 30/08/2023 07:45, Jason Long via Openvpn-users wrote: > Hello, > I configured OpenVPN to use the username and password for authentication, but > I need to have the "ca.crt", "cert server.crt", "server.key" and "dh.pem" > certificates.
>There are 2 sets of certificates and keys. >* Server side: Uses ca.crt, server.crt, server.key and dh.pem >* Client side: Uses ca.crt, client.crt and client.key >The difference between these certificates and keys are very important to >have a clear understanding of. Each certificate provides an identity of >the server or client and should be unique per host and user. > So, what's the advantage of using this authentication method when I still > need to use these keys? >Certificate based authentication is quite strong. And in many cases, >that is more than enough. OpenVPN can also be configured to not use >client certificates, in this case username/password authentication is >mandatory. For such setups, the client side only needs the ca.crt (to >verify the identity of the VPN server). >Or you can combine certificate with username/password authentication. >This can be used if you want to grant different access to the network(s) >behind the VPN server depending on which device a user is connecting from. >And there is another aspect as well. Some deployments let both >gateway/routers connect to a VPN server as well as individual users. In >this case, those gateway/router hosts will NOT use username/password - >only certificates. While the individual end-users might do only >username/password authentication. >Which approach to use, depends entirely on your own networks need and >the threat model you operate under. There is no "X is better than Y" >scenario in this case; it depends entirely on your own security needs. >-- >kind regards, >David Sommerseth >OpenVPN Inc Hello, Thank you so much for your reply. As I understand, The "ca.crt" and "ta.crt" keys are mandatory. I disabled the "ta.crt" in Client.ovpn file and I got the following error: Wed Aug 30 17:36:57 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Wed Aug 30 17:36:57 2023 TLS Error: TLS handshake failed Why the following files must exist in the server.conf file, when the client using the username and password authentication method? cert server.crt key server.key dh dh.pem _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
