[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-devel] key management ?

  • Subject: Re: [Openvpn-devel] key management ?
  • From: gary ng <garyng2000@xxxxxxxxx>
  • Date: Thu, 8 Apr 2004 16:03:10 -0700 (PDT)

--- James Yonan <jim@xxxxxxxxx> wrote:
> OpenVPN currently supports intermediate CAs (one or
> multiple levels).
How would I do this in the configuration file ? I
tried to create a self-signed root CA then an
intermediate CA but if I just place the intermediate
CA as the 'ca' parameter(both node cert is signed by
it), openvpn didn't work. So I revert to sign the
nodes with the root CA and things work. That is why it
gives me the impression that only root CA is

> > Another nice to have feature is to associate(or
> limit)
> > the remote IPs based on certificates. 
> This is possible using the --tls-verify script which
> can examine the IP
> address and x509 name of an incoming cert and decide
> whether or not to accept it.
> Some people even use this capability to do an nmap
> on the IP address to make
> sure the client hasn't been compromised, before
> allowing the connection.
Thanks. that is nice to know. I am not sure if this is
the same as I envisioned. What I am working at is a
setup that depending on the remote certificate, the
openvpn server would assign a certain range of ip(the
virtual ip, not the real remote ip which I believe is
what this nmap thing is about) to the node. The
scenario behind it is that say for certain server(or
applications), I would only allow incoming connections
from a selected list of workstations/nodes(either on
vpn or simple inter network). Currently, it is worked
around in openvpn by using different ports(it is
needed anyway for serving multiple clients). However,
I see that new feature of openvpn 2.0 that would make
it possible to use one public port, so I am wondering
if it is possible to do this based on certificates so
if the certificate is 'administrator', an ip is
assigned from the admin pool etc.

Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway