On Thu, 17 Aug 2023 12:17:06 +0000 (UTC), Jason Long via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote:
>>1- What is the difference between >/etc/openvpn and /etc/openvpn/server >>>directories? >> I put my server.conf file in the /etc/openvpn >directory and it worked. > >>You are running an *old* version of OpenVPN! >The service infrastructure has >>changed and OpenVPN now defaults to using >two subdirectories (client and >>server) >>to /etc/openvpn to handle the two different >uses of it. >>Please read up on how it works in the new >docs. > >>2- You said "./easyrsa sign-req client client", >make those unique ideally >>per device, >>not just per user. How to make it unique per >user? > >>You have to generate *separate* encryption >files for each client where the CN >>entry is *unique*, otherwise the server can >never differentiate between them >>and >>you cannot allow/block clients individually. >>Also you open for abuse of your server. > >>If I have 1000 clients, then I must generate >1000 key files??? > >>Exactly! > >>3- For the CA certificate, I must use "Server" >not "server". May I ask why? > >>So you are not aware that Linux is case >sensitive? >>"Server" is NOT equal to "server"... >>So what you use depends on what *exact* >name you set the CN to when >>genererating >>the files. > > >Hello,Thank you so much.If I forget the CN name, then if I open the "ca.crt" >file >and click on the Details tab and check the Issuer section, then this is the >name >that I have entered during generating the key? > No-no-no! We are talking about the CLIENTS here! Every client must have a unique Common Name assigned to it!!!!!!!! If anything the CN will be inside the ClientCN.crt, but you should really consider keeping tabs on what you are doing... For each *client* easyrsa generates a number of separate crypto files and the common name (CN) is used in that process. The CN will be embedded in the files itself but is also the name of the files being generated. So in my case I have a directory where I manage the clients and where the client files reside somewhere on the server. Note that this location is NOT where the server runs! This is an admin location and only the files needed for the OpenVPN server's operation will be copied to the server's keys dir and the path entered into the server's conf file. Each client in my case has 3 differeny files here (CommonName is the CN name of each client): CommonName.key CommonName.crt CommonName.csr In the process of creating these the SERVER side ca.crt (or possibly ca.key) is used to sign the client files (don't remember now since I have created a script that handles it all when I need to make a new client). Anyway the final job for you to do fdor each client is to assemble the files into the client's ovpn file and it shall contain: - The client configuration commands - The server certificate - The client certificate - The client key - The tls-auth OpenVPN static key if password protection of the ovpn file is set. -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
