> I just had "dev tun" and did not define "dev-node". Worked great. > It found an available tun device.
Hot damn. I'll have to try that. ;-) > I used certificates for my users, no pre-shared keys except for the > "tls-auth" which is pretty much equivalent to the Cisco group password. Sorry, I used the wrong words. In openvpn, each individual client gets a private key or a private certificate. If that key or cert were acquired by anyone other than the intended end user, it would be possible for someone unauthorized to get in. Basically, this is a one-stage authentication, and I don't think openvpn supports two or more. Ideally, authentication will require both something physical and something known. (A preshared key or a certificate which is too large for a human to be expected to memorize or type it in, can be used as a substitute for something physical as a key.) Ideally, no user could even receive the password prompt unless they've already passed the physical authentication. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
