On 30/08/2023 07:45, Jason Long via Openvpn-users wrote:
Hello, I configured OpenVPN to use the username and password for authentication, but I need to have the "ca.crt", "cert server.crt", "server.key" and "dh.pem" certificates.
There are 2 sets of certificates and keys. * Server side: Uses ca.crt, server.crt, server.key and dh.pem * Client side: Uses ca.crt, client.crt and client.keyThe difference between these certificates and keys are very important to have a clear understanding of. Each certificate provides an identity of the server or client and should be unique per host and user.
So, what's the advantage of using this authentication method when I still need to use these keys?
Certificate based authentication is quite strong. And in many cases, that is more than enough. OpenVPN can also be configured to not use client certificates, in this case username/password authentication is mandatory. For such setups, the client side only needs the ca.crt (to verify the identity of the VPN server).
Or you can combine certificate with username/password authentication. This can be used if you want to grant different access to the network(s) behind the VPN server depending on which device a user is connecting from.
And there is another aspect as well. Some deployments let both gateway/routers connect to a VPN server as well as individual users. In this case, those gateway/router hosts will NOT use username/password - only certificates. While the individual end-users might do only username/password authentication.
Which approach to use, depends entirely on your own networks need and the threat model you operate under. There is no "X is better than Y" scenario in this case; it depends entirely on your own security needs.
-- kind regards, David Sommerseth OpenVPN Inc
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
