[kwlug-disc] OpenVPN with multiple servers
ldpaniak at fourpisolutions.com
Tue Dec 21 10:03:47 EST 2010
On Tue, 2010-12-21 at 02:52 -0500, Paul Nijjar wrote:
> I think this is less of an OpenVPN and question and more of a PKI
> question, but whatever.
> I have site to site OpenVPN working with one server and a bunch of
> clients. Let's call this ServerA.
> Now I want to add a ServerB. It will be a distinct OpenVPN server. I
> want the clients that work on ServerA not to work on ServerB, and vice
> Being ignorant, I used easy-rsa to generate my certificates for
> ServerA. The easy (and maybe correct) way to generate certificates for
> ServerB would be to specify a completely different directory, and
> generate a new ca.crt/key/csr, server.crt/key/csr, dh1024.pem and
> everything else. I can do that, but I am trying to understand why I
> can't keep all the keys in one place.
> My guess is that I would use:
> - The same ca.crt/key/csr for ServerA and ServerB
> - Different server certs for the two servers (call them
> serverA.crt/key/csr and serverB.crt/key/csr)
> I don't know what my guess is for dh1024.pem .
> I also don't understand how client keys relate to server keys. As far
> as I can see I never have to relate a server and a client key. Maybe
> the build-key script somehow makes the server key sign the client one,
> but I am not sure how it would know what my server key was.
> As far as I can tell this setup would allow any client (whether
> intended for serverA or serverB) to connect to any server. Is that
> What am I misunderstanding? Is there a way I can use a single keys
> directory to store keys for both these servers?
> ALso, what is dh1024.pem for? I know that it stands for Diffie-Hellman
> parameters and I know that it is used for some TLS handshake sorcery.
> I would imagine that this should be different for each server, but I
> don't know why, given that we don't need to keep this file (which is
> the only dh1024 file created) secret.
> What happens if I ran the "build-dh" script multiple times? What
> - Paul
A couple of questions:
Are the Server B clients currently serviced by Server A? Or are they
Are Server A and Server B running on the same physical machine
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 490 bytes
Desc: This is a digitally signed message part
More information about the kwlug-disc_kwlug.org