[kwlug-disc] OpenVPN with multiple servers

Paul Nijjar paul_nijjar at yahoo.ca
Tue Dec 21 02:52:59 EST 2010

I think this is less of an OpenVPN and question and more of a PKI
question, but whatever. 

I have site to site OpenVPN working with one server and a bunch of
clients. Let's call this ServerA. 

Now I want to add a ServerB. It will be a distinct OpenVPN server. I
want the clients that work on ServerA not to work on ServerB, and vice

Being ignorant, I used easy-rsa to generate my certificates for
ServerA. The easy (and maybe correct) way to generate certificates for
ServerB would be to specify a completely different directory, and
generate a new ca.crt/key/csr, server.crt/key/csr, dh1024.pem and
everything else. I can do that, but I am trying to understand why I
can't keep all the keys in one place. 

My guess is that I would use: 
- The same ca.crt/key/csr for ServerA and ServerB
- Different server certs for the two servers (call them
  serverA.crt/key/csr and serverB.crt/key/csr)

I don't know what my guess is for dh1024.pem .

I also don't understand how client keys relate to server keys. As far
as I can see I never have to relate a server and a client key. Maybe
the build-key script somehow makes the server key sign the client one,
but I am not sure how it would know what my server key was. 

As far as I can tell this setup would allow any client (whether
intended for serverA or serverB) to connect to any server. Is that

What am I misunderstanding? Is there a way I can use a single keys
directory to store keys for both these servers? 

ALso, what is dh1024.pem for? I know that it stands for Diffie-Hellman
parameters and I know that it is used for some TLS handshake sorcery.
I would imagine that this should be different for each server, but I
don't know why, given that we don't need to keep this file (which is
the only dh1024 file created) secret. 

What happens if I ran the "build-dh" script multiple times? What

- Paul


More information about the kwlug-disc mailing list