> On Sunday, January 7th, 2024 at 3:50 PM, Gert Doering <[email protected]>
> wrote:
> Hi,
>
> On Sun, Dec 31, 2023 at 09:07:09PM +0000, Peter Davis wrote:
>
> > 1- How can I find out if a user has shared the key with others?
>
>
> You can't, unless you combine the VPN connect with some other auth
> mechanism ("username + password", etc.).
>
> But generally speaking, users will not do this, as OpenVPN will (by
> default) not permit two parallel connections with the same cert - so
> the second user will kick out the first, and vice versa. Unpleasant
> user experience.
>
> > 2- Can I use "--client-connect" with MAC address?
>
>
> OpenVPN will send the ethernet MAC address on the client PC that is used
> to reach the default gateway in the IV_HWADDR= address.
>
> BUT: if a user has wifi and ethernet, you'll see a different ethernet
> address depending on connection used.
>
> BUT2: this is an indication of "same computer" or "different computer",
> but is not 100% reliable if you have non-trustworthy users.
>
> > 3- Can I generate only one server key, but multiple client keys that use
> > that server key?
>
>
> This is how everybody else does it.
>
> Client keys do not "use the server key" though. Clients connect, the server
> presents a server certificate, which has to be signed by a mutally-trusted
> certificate authority (CA). This is what is "used", the trusted signature
> by a 3rd party.
>
> gert
> --
> "If was one thing all people took for granted, was conviction that if you
> feed honest figures into a computer, honest figures come out. Never doubted
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh Mistress
>
> Gert Doering - Munich, Germany [email protected]
Hi,
Thanks again.
1- So one of the benefits of using LDAP mechanism is that two users cannot use
the OpenOne server at the same time? I mean using openvpn-auth-ldap package.
2- Regarding the third question, I did not express my meaning well. Suppose
there are several departments in a company and you want to generate separate
keys for each department, in this situation each department must have its own
server and client keys. Is it right?
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
