On 23.08.23 13:20, Jason Long via Openvpn-users wrote:
You said that in your test, the file name *does* match, then you changed IPs stated *in* the file, then asked the list how it's possible that the client can *still* connect. Why, rather than explain why you would expect such an effect in the first place, do you *now* bring up the filename aspect again?As I understand, if the file name is not equal to the CN name in the client.crt file, then the client can't connect to the OpenVPN server.
Excuse me, is the ccd-exclusive statement best way to filter the clients? For example, I only want to allow clients to connect to the server whose CN name is Trusted.
I.e., you want a default-deny behavior. "ccd-exclusive" is one way to achieve that, and one that works for clients that connect from "wherever on the Internet" and can *lose* your trust later on. Off the top of my head, the only available "drop-in replacement" would be to properly *revoke* client certs, and keep the servers informed of the revocations (by CRL, OCSP or whatever).
Otherwise: *If* you can pinpoint clients' IPs, you can let iptables do the filtering.*If* you won't withdraw trust once it has been given, even if the device gets into someone else's hands, just run a tight ship on client cert generation/handout.
*If* you have actual administrative control over clients whenever necessary, prepare to send them a delete-keypair-and-secret command when they lose your trust.
Etcetera. Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
