[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-devel] key management ?


  • Subject: Re: [Openvpn-devel] key management ?
  • From: gary ng <garyng2000@xxxxxxxxx>
  • Date: Thu, 8 Apr 2004 16:03:10 -0700 (PDT)

--- James Yonan <jim@xxxxxxxxx> wrote:
> OpenVPN currently supports intermediate CAs (one or
> multiple levels).
How would I do this in the configuration file ? I
tried to create a self-signed root CA then an
intermediate CA but if I just place the intermediate
CA as the 'ca' parameter(both node cert is signed by
it), openvpn didn't work. So I revert to sign the
nodes with the root CA and things work. That is why it
gives me the impression that only root CA is
supported.

> 
> > Another nice to have feature is to associate(or
> limit)
> > the remote IPs based on certificates. 
> 
> This is possible using the --tls-verify script which
> can examine the IP
> address and x509 name of an incoming cert and decide
> whether or not to accept it.
> 
> Some people even use this capability to do an nmap
> on the IP address to make
> sure the client hasn't been compromised, before
> allowing the connection.
> 
Thanks. that is nice to know. I am not sure if this is
the same as I envisioned. What I am working at is a
setup that depending on the remote certificate, the
openvpn server would assign a certain range of ip(the
virtual ip, not the real remote ip which I believe is
what this nmap thing is about) to the node. The
scenario behind it is that say for certain server(or
applications), I would only allow incoming connections
from a selected list of workstations/nodes(either on
vpn or simple inter network). Currently, it is worked
around in openvpn by using different ports(it is
needed anyway for serving multiple clients). However,
I see that new feature of openvpn 2.0 that would make
it possible to use one public port, so I am wondering
if it is possible to do this based on certificates so
if the certificate is 'administrator', an ip is
assigned from the admin pool etc.


__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/