OpenVPN version 2.3.2: using new easyrsa mechanism for multiple users

  1. Server setup
    1. ./easyrsa init-pki
      1. don't do this twice!
    2. ./easyrsa build-ca
  2. User key and cert signing request on complete separate machine
    1. ./easyrsa init-pki
      1. don't do this twice!
    2. ./easyrsa gen-req myuser
  3. Server signs user cert req
    1. ./easyrsa import-req myuser.req myuser
    2. ./easyrsa sign-req client myuser
Generate your server key and cert in a similar manner to a user.

Any client with a signed cert may connect to the server. There is no record of the client cert on the server itself; since the server signed the user cert, that is authority enough to validate the user cert.

Only if a user cert needs to be revoked, is a "revocation file" created on the server; this revocation file disallows that user from connecting. If no users need to be revoked, nothing needs to be done, nothing needs to exist about users on the server-side.


Popular posts from this blog

Debugging pfsense firewall rules clearly and easily

Direct ssh to a server via proxy using putty/plink on Windows

telnet vs netcat