On 25.07.23 18:10, Jason Long via Openvpn-users wrote:
Hello,I have a question and I'm thankful if someone clear it for me.I guess it would be better if each server has its own key files, but the server means the server configuration file or an OpenVPN (physical or VM) server?I mean, if an OpenVPN server has a lot of server configuration files (server-1.conf, server-2.conf,...) and they all use the same key files, is there a problem?
OpenVPN, unlike browsers/websites or the SMTP world, does *not* come with builtin expectations that the cert must "match" the server in any way; instead, verification of the server cert is put into the hands of the client configuration (via the --remote-cert-*, --verify-x509-name etc. statements). Which is relevant because it is discouraged to have several simultaneous *certs* with the same ID, like when you want different *privkeys* to ID the same way.
Having that said, if you want the clients to auto-failover between several instances, like with <connection> profiles, the client needs a *common* way to verify all those server's certs, with them all using the same keypair/cert being the simplest way to ensure that. On the other hand, if someone manages to hack a server (VM) and grabs the keys there, you have an interest to disable only *that* server, and not others just because they use the same now-compromised keypair.
That trade-off is essentially yours to gauge ... Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
