[kwlug-disc] OpenVPN with multiple servers
paul_nijjar at yahoo.ca
Tue Dec 21 02:52:59 EST 2010
I think this is less of an OpenVPN and question and more of a PKI
question, but whatever.
I have site to site OpenVPN working with one server and a bunch of
clients. Let's call this ServerA.
Now I want to add a ServerB. It will be a distinct OpenVPN server. I
want the clients that work on ServerA not to work on ServerB, and vice
Being ignorant, I used easy-rsa to generate my certificates for
ServerA. The easy (and maybe correct) way to generate certificates for
ServerB would be to specify a completely different directory, and
generate a new ca.crt/key/csr, server.crt/key/csr, dh1024.pem and
everything else. I can do that, but I am trying to understand why I
can't keep all the keys in one place.
My guess is that I would use:
- The same ca.crt/key/csr for ServerA and ServerB
- Different server certs for the two servers (call them
serverA.crt/key/csr and serverB.crt/key/csr)
I don't know what my guess is for dh1024.pem .
I also don't understand how client keys relate to server keys. As far
as I can see I never have to relate a server and a client key. Maybe
the build-key script somehow makes the server key sign the client one,
but I am not sure how it would know what my server key was.
As far as I can tell this setup would allow any client (whether
intended for serverA or serverB) to connect to any server. Is that
What am I misunderstanding? Is there a way I can use a single keys
directory to store keys for both these servers?
ALso, what is dh1024.pem for? I know that it stands for Diffie-Hellman
parameters and I know that it is used for some TLS handshake sorcery.
I would imagine that this should be different for each server, but I
don't know why, given that we don't need to keep this file (which is
the only dh1024 file created) secret.
What happens if I ran the "build-dh" script multiple times? What
More information about the kwlug-disc