On Wed, Nov 1, 2017 at 2:08 PM, Steffan Karger <stef...@karger.me> wrote:
> Coming back to tls-crypt/tls-auth key rotation: the preferred way is
> what Ilya suggested: add a new openvpn daemon which is using the new key
> and is running on another port, then migrate your clients to the new
> server and finally kill the old server.
I guess we could assign new (2nd) IP addresses to the existing servers,
and use identical configs - except for the new keys - and then alter DNS to
round-robin? That way old-key clients would fail against the new IP but
work on the old, and new-key clients would work on the new IP but fail on
the old. Then after we see no more old-key connections, change the old IP
server config to match the new.
(I don't want to use more ports because we already use the good ones ;-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
