> On Tuesday, January 16th, 2024 at 11:38 AM, Gert Doering > <g...@greenie.muc.de> wrote:
> Hi, > > On Tue, Jan 16, 2024 at 08:03:41AM +0000, Peter Davis wrote: > > > 1- You said "I said that OpenVPN will (by default) disallow multiple logins > > with the same client key+cert.", so if I generate a client key using the > > commands below, then I can't use this key on multiple devices at the same > > time? > > > This is the point. The key uniquely identifies a client (device). > > > # ./easyrsa gen-req <client name> nopass > > # sign-req client <client name> > > > > I think you are wrong, I generated a client key using the command above and > > was able to use it on multiple devices at the same time!!! > > > You can use it, but every connection with a given key will kick out all > other existing connections with the same key. You can use "duplicate-cn" > in your server config to permit parallel connections with the same key, > but it is not recommended to do so. > > > 2- I know that it is better for each client to have its own unique key. Now > > if one of the clients share his\her key with others, then if I have used > > the "--auth-user-pass" option, then two people cannot use the same username > > and password to login at the same time if each client has its own unique > > key? > > > There is nothing "built-in" which would achieve this, but you can use > scripts (--client-connect, for example) to tie username and key together, > so if you see "client A" being used for "username B", you can either > disallow the connection, or get them fired for violating corporate > regulations. > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de Hi, Thanks again. 1- So, by default, only one person can connect to the server at the same time with one key. The reason I hadn't noticed this is because OpenVPN Connect is apparently connected. Isn't there a way for the program to terminate and the user to notice? 2- So an option like --auth-user-pass and connection with Active Directory is only to increase the level of security. Am I right? _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
