Hello,Thank you for your time.So, if I need an auto-failover mechanism, then my servers (Physical or VM) key files must be the same and if I don't need that mechanism, then all server configuration file can use the same keys.Am I right?
Sent from Yahoo Mail on Android On Tue, Jul 25, 2023 at 9:09 PM, Jochen Bern<jochen.b...@binect.de> wrote: On 25.07.23 18:10, Jason Long via Openvpn-users wrote: > Hello,I have a question and I'm thankful if someone clear it for me.I guess > it would be better if each server has its own key files, but the server means > the server configuration file or an OpenVPN (physical or VM) server?I mean, > if an OpenVPN server has a lot of server configuration files (server-1.conf, > server-2.conf,...) and they all use the same key files, is there a problem? OpenVPN, unlike browsers/websites or the SMTP world, does *not* come with builtin expectations that the cert must "match" the server in any way; instead, verification of the server cert is put into the hands of the client configuration (via the --remote-cert-*, --verify-x509-name etc. statements). Which is relevant because it is discouraged to have several simultaneous *certs* with the same ID, like when you want different *privkeys* to ID the same way. Having that said, if you want the clients to auto-failover between several instances, like with <connection> profiles, the client needs a *common* way to verify all those server's certs, with them all using the same keypair/cert being the simplest way to ensure that. On the other hand, if someone manages to hack a server (VM) and grabs the keys there, you have an interest to disable only *that* server, and not others just because they use the same now-compromised keypair. That trade-off is essentially yours to gauge ... Kind regards, -- Jochen Bern Systemingenieur Binect GmbH _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
