[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] One CA for several OpenVPN installations.

  • Subject: Re: [Openvpn-users] One CA for several OpenVPN installations.
  • From: Giancarlo Razzolini <linux-fan@xxxxxxxxxxx>
  • Date: Thu, 22 Mar 2007 21:17:36 -0300

Tony escreveu:
> On Thu, 22 Mar 2007 23:24:13 +0300, Göran Nilsson  
> <goran.nilsson@xxxxxxxxx> wrote:
>> Any ideas, thoughts on how to make sure that a "site installation" with  
>> generated certificates for server and clients are the only one allowed  
>> to connect to each other.
> I once asked here if it is possible or planned to introduce a multilevel  
> CA where one root CA would issue certs for a number of an intermediate CAs  
> (unique per OpenVPN server).
> I'm currently suffering from exactly the same problem - my OpenVPN certs  
> are signed by the same rootCA as my WiFi EAP-TLS ones - and my WiFi  
> clients are able to authenticate to my OpenVPN.
> I want to avoid that...
I believe you have 3 options here:
1) use the tls-verify option to check some field of the certificate, and
deny/allow connection based on some field of the cert (note that in some
kind of mitm attacks, and others, ssl fields can be faked). This method
is secure to ceretain extent.
2) Authenticate your users, with separate databases, of course. Each
user, of each server musta be authenticated against a separated database.
3) Use both options 1 and 2, to achieve the best security.

If you want (almost) transparency, use option 1(i say almost, because
you will have to use the tls-verify in both ends, and having to change
the clients conf files, and send the program that will be used to verify
the fields).

If you don't care about transparency, but also, don't want to create a
program, or trust any existent, use option 2.

I recommend option 3, for sure.

My 2 cents,
Giancarlo Razzolini
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Ubuntu 6.10 Edgy Eft
Snike Tecnologia em Informática
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

Attachment: signature.asc
Description: OpenPGP digital signature

Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
Openvpn-users mailing list