[kwlug-disc] OpenVPN with multiple servers

L.D. Paniak ldpaniak at fourpisolutions.com
Tue Dec 21 10:03:47 EST 2010


On Tue, 2010-12-21 at 02:52 -0500, Paul Nijjar wrote:
> I think this is less of an OpenVPN and question and more of a PKI
> question, but whatever. 
> 
> I have site to site OpenVPN working with one server and a bunch of
> clients. Let's call this ServerA. 
> 
> Now I want to add a ServerB. It will be a distinct OpenVPN server. I
> want the clients that work on ServerA not to work on ServerB, and vice
> versa.
> 
> Being ignorant, I used easy-rsa to generate my certificates for
> ServerA. The easy (and maybe correct) way to generate certificates for
> ServerB would be to specify a completely different directory, and
> generate a new ca.crt/key/csr, server.crt/key/csr, dh1024.pem and
> everything else. I can do that, but I am trying to understand why I
> can't keep all the keys in one place. 
> 
> My guess is that I would use: 
> - The same ca.crt/key/csr for ServerA and ServerB
> - Different server certs for the two servers (call them
>   serverA.crt/key/csr and serverB.crt/key/csr)
> 
> I don't know what my guess is for dh1024.pem .
> 
> I also don't understand how client keys relate to server keys. As far
> as I can see I never have to relate a server and a client key. Maybe
> the build-key script somehow makes the server key sign the client one,
> but I am not sure how it would know what my server key was. 
> 
> As far as I can tell this setup would allow any client (whether
> intended for serverA or serverB) to connect to any server. Is that
> correct?
> 
> What am I misunderstanding? Is there a way I can use a single keys
> directory to store keys for both these servers? 
> 
> ALso, what is dh1024.pem for? I know that it stands for Diffie-Hellman
> parameters and I know that it is used for some TLS handshake sorcery.
> I would imagine that this should be different for each server, but I
> don't know why, given that we don't need to keep this file (which is
> the only dh1024 file created) secret. 
> 
> What happens if I ran the "build-dh" script multiple times? What
> breaks?
> 
> 
> - Paul
> 

A couple of questions:

Are the Server B clients currently serviced by Server A?  Or are they
new clients?  

Are Server A and Server B running on the same physical machine
(different ports)?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://astoria.ccjclearline.com/pipermail/kwlug-disc_kwlug.org/attachments/20101221/60bb8a79/attachment.bin>


More information about the kwlug-disc_kwlug.org mailing list