openvpn woes

Corey Edwards tensai at zmonkey.org
Wed Nov 9 09:16:39 MST 2005


On Wed, 2005-11-09 at 08:35 -0700, Andrew McNabb wrote:
> On Wed, Nov 09, 2005 at 08:23:36AM -0700, Hans Fugal wrote:
> > 
> > Provided you're using the server mode (which implies TLS). If you are
> > using e.g. preshared keys then you'd have to run a second daemon on the
> > "server" peer (with its own tun).
> > 
> 
> Could you explain that a little more?  I'm not familiar with this second
> way.  Thanks.

TLS is the way to go. First, a few references.
        
        http://mia.ece.uic.edu/~papers/volans/openvpn.html
        http://eifit.org/downloads/openvpn-presentation.txt

The gist of it is to create a CA certificate, then create a server cert
(signed by the CA), and finally client certs (also signed) for each
client. Doing so you can support any number of clients with just the one
server config.

Once you go to TLS you can also use per-client settings using the
client-config-dir setting. I use that to push extra IP addresses to
specific clients.

Corey

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://plug.org/pipermail/plug/attachments/20051109/20673935/attachment.bin 


More information about the PLUG mailing list