Friday, 15 August 2014

OpenVPN version 2.3.2: using new easyrsa mechanism for multiple users

  1. Server setup
    1. ./easyrsa init-pki
      1. don't do this twice!
    2. ./easyrsa build-ca
  2. User key and cert signing request on complete separate machine
    1. ./easyrsa init-pki
      1. don't do this twice!
    2. ./easyrsa gen-req myuser
  3. Server signs user cert req
    1. ./easyrsa import-req myuser.req myuser
    2. ./easyrsa sign-req client myuser
Generate your server key and cert in a similar manner to a user.

Any client with a signed cert may connect to the server. There is no record of the client cert on the server itself; since the server signed the user cert, that is authority enough to validate the user cert.

Only if a user cert needs to be revoked, is a "revocation file" created on the server; this revocation file disallows that user from connecting. If no users need to be revoked, nothing needs to be done, nothing needs to exist about users on the server-side.

https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

No comments:

Post a Comment

Note: only a member of this blog may post a comment.

Interview questions: 2020-12

Terraform provider vs provisioner Load balancing Network Load Balancer vs Application Load Balancer  Networking Layer 1 vs Layer 4 haproxy u...