On Sat, 13 Jan 2024 12:56:41 +0100, Gert Doering <g...@greenie.muc.de> wrote:
>Hi, > >On Thu, Jan 11, 2024 at 07:35:13PM +0000, Peter Davis wrote: >>> Abandon that thought. We've been here before: you need unique keys per >>> user, everything else will just make your life painful and miserable. >> >> If each user has their own key, then there should be a Client.conf file for >> each user, >> which itself contains a unique IP address, a unique port and a unique TUN. >> For example, >> for 100 users, there are 100 configuration files, 100 IP addresses, 100 open >> ports and >> 100 TUNs. > >OpenVPN Server is point-to-multipoint, so a single server can easily >handle 1000s of clients. > >You need a unique key+cert per client, which form a unique client config >(everything *not* key/cert related stays the same, though). Nothing else >needs to be maintained per-client, the server will do that all for you. > And I would say the *simplest* way to block a single or multiple clients is to use the ccd (client config dir) functionality on the server. For any client to be locked out just create a file inside that directory named as the CommonName of the client (these CN:s have to be unique of course) with this content: sudo nano etc/openvpn/ccd/ClientName Enter this: #This client is blocked from connecting disable Now upon connect the client is immediately rejected. No need for any cryptographic mumbo-jumbo, it just works.... Config in the /etc/openvpn/server/server.conf file to enable its use is this single line: client-config-dir /etc/openvpn/ccd -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
