[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] mode server w/ dhcp & static keys

  • Subject: Re: [Openvpn-users] mode server w/ dhcp & static keys
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Thu, 8 Jul 2004 23:50:55 +0200 (CEST)

On Thu, 8 Jul 2004, James Yonan wrote:

On Thursday 08 July 2004 16:12, Mathias Sundman wrote:
On Thu, 8 Jul 2004, Aaron M. Hirsch wrote:
I'm wanting to setup openvpn to where it will hand out dhcp addresses,
via ifconfig-pool, and utilize a static key.  We have no desire to
created 500+ tls keys at this time.

The problem that I'm running into is that I can't get opevpn to start
with the mode server and secret.  It tells me that I have to use

I don't think you can. As far as I remember mode server only works with tls (Just like the error msg said). This is because the server needs to be able to know it advance which user is connecting to know which key to use. With tls, the client authenticate it self, so this is no problem, but with static keys, there is no such authentication, so you would have to use the same static key for every client.

There are no plans at this point to support static keys in server mode,

If you inteded to use only one static key for all users, you could instead create just one key/cert and use the --duplicate-cn option to allow everyone to connect with the same certificate. James, does this have any other drawbacks other than not having any log over who is connected, and not the possibility to have individual configs or revoke individual certs.

I don't know how you intend to use openvpn, but if you have 500+ users,
don't you think you have the need for beeing able to revoke a key/cert, if just one computer gets stolen or whatever, instead of having to roll out a new key to every user?

Mathias Sundman                  (^)   ASCII Ribbon Campaign
NILINGS AB                        X    NO HTML/RTF in e-mail
Tel: +46-(0)8-666 32 28          / \   NO Word docs in e-mail

Openvpn-users mailing list