[kwlug-disc] OpenVPN with multiple servers

Tue Dec 21 09:48:00 EST 2010

----- Original Message -----
> I think this is less of an OpenVPN and question and more of a PKI
> question, but whatever.
> 
> I have site to site OpenVPN working with one server and a bunch of
> clients. Let's call this ServerA.
> 
> Now I want to add a ServerB. It will be a distinct OpenVPN server. I
> want the clients that work on ServerA not to work on ServerB, and vice
> versa.
> 
> Being ignorant, I used easy-rsa to generate my certificates for
> ServerA. The easy (and maybe correct) way to generate certificates for
> ServerB would be to specify a completely different directory, and
> generate a new ca.crt/key/csr, server.crt/key/csr, dh1024.pem and
> everything else. I can do that, but I am trying to understand why I
> can't keep all the keys in one place.
> 
> My guess is that I would use:
> - The same ca.crt/key/csr for ServerA and ServerB
> - Different server certs for the two servers (call them
> serverA.crt/key/csr and serverB.crt/key/csr)
> 
> I don't know what my guess is for dh1024.pem .
> 
> I also don't understand how client keys relate to server keys. As far
> as I can see I never have to relate a server and a client key. Maybe
> the build-key script somehow makes the server key sign the client one,
> but I am not sure how it would know what my server key was.
> 
> As far as I can tell this setup would allow any client (whether
> intended for serverA or serverB) to connect to any server. Is that
> correct?
> 
> What am I misunderstanding? Is there a way I can use a single keys
> directory to store keys for both these servers?
> 
> ALso, what is dh1024.pem for? I know that it stands for Diffie-Hellman
> parameters and I know that it is used for some TLS handshake sorcery.
> I would imagine that this should be different for each server, but I
> don't know why, given that we don't need to keep this file (which is
> the only dh1024 file created) secret.
> 
> What happens if I ran the "build-dh" script multiple times? What
> breaks?

I'm not sure if you're asking for easy rsa, openvpn or general certificate help here, but I'll open my mouth anyway.

I can't directly address your use of easy rsa or openvpn, but I can address the concept of certificates.

Keep in mind two of the key concepts of security: identification and authorization.

Generally speaking certificates are validated against a known authority to establish identification. The known authority signs all certificates. In your case the known authority is the directory. Clients (which includes openvpn servers) have the authority's public key and use it to validate that the authority has signed the client certificate. This is how identification works and has nothing to do with authorization. Services then can choose how to authorize a client. It could pull it from a directory, have it hard coded in a config file, stored in a database, or any other way. Typically in a directory setting you want to use the directory to store authorization as well so that you can revoke access in a central location. This is generally achieved in a directory using an additional attribute. There is no standard so it could be any attribute.

In a pure sense you can use a single directory to handle identification and authorization for a large number of servers, so I doubt an additional directory is what you need. You likely need a different configuration for the other openVPN server or at worst a different OU in which to store authorization information.

You have a couple of tools you can use to inspect what is going on.

The openssl command has a lot of functionality that is not easy to discovery and it isn't intuitive to anyone not familiar with the various encryption and encoding schemes used by certificates (that includes me), but it can decode that PEM file for you.

The other handy tool is tcpdump. I use it to inspect queries to the directory. When configuring software it's not always easy to tell what directory queries are being used to determine authorization. Fortunately LDAP queries contain enough plain text to see what it going on and the results. You may have to turn off TLS/SSL on the LDAP connection to see what's going on.

Once I find the queries I can use ldapsearch to experiment with different queries.

This means getting use to the LDAP query syntax. It's a little backwards (|(expr1)(expr2)) means expr1 OR expr2. Nesting makes it more awkward (&(|(expr1)(expr2))(expr3)) means (expr1 OR expr2) AND (expr3).

-- 
John Van Ostrand 
CTO, co-CEO 
Net Direct Inc. 
564 Weber St. N. Unit 12, Waterloo, ON N2L 5C6 
Ph: 866-883-1172 x5102 
Fx: 519-883-8533 

Linux Solutions / IBM Hardware 