> On Tuesday, January 16th, 2024 at 10:59 AM, Gert Doering > <g...@greenie.muc.de> wrote:
> Hi, > > On Tue, Jan 16, 2024 at 07:10:02AM +0000, Peter Davis via Openvpn-users wrote: > > > Hi, > > Thanks again. > > So, if I delete the client keys from the OpenVPN server, > > the clients can still connect to the server. > > > Yes. > > > 1- Is "pki/ca.crt" unique for each client? > > > No. This is the CA's certificate, acting as a trusted introducer - this > is the glue that enables both ends to verify each other's certificates, > by having a signature from the CA, verifiable with the same ca.crt. > > > 2- You said that if I use authentication based on username and password, > > then two people cannot connect to the server at the same time with the > > same username and password. Is this possible if each client has its own > > unique key? > > > I said that OpenVPN will (by default) disallow multiple logins with the same > client key+cert. > > Username + password is an extra bonus to control who is allowed in and > who is not, or introduce 2FA requirements, etc. > > > For example, if I generate a client key and share it with 100 people > > > I'm not willing to answer questions that start with "share client key". > > Don't. Ever. > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de Hi, Thanks again. 1- You said "I said that OpenVPN will (by default) disallow multiple logins with the same client key+cert.", so if I generate a client key using the commands below, then I can't use this key on multiple devices at the same time? # ./easyrsa gen-req <client name> nopass # sign-req client <client name> I think you are wrong, I generated a client key using the command above and was able to use it on multiple devices at the same time!!! 2- I know that it is better for each client to have its own unique key. Now if one of the clients share his\her key with others, then if I have used the "--auth-user-pass" option, then two people cannot use the same username and password to login at the same time if each client has its own unique key? _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
