Virtual Static IPv4 address

This is the forum to post your config. Include diagrams, usage graphs, and all the other goodies to show off your network.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
DieterH
OpenVpn Newbie
Posts: 1
Joined: Wed Oct 23, 2019 7:35 am

Virtual Static IPv4 address

Post by DieterH » Wed Oct 23, 2019 8:03 am

Good morning,

I run an OpenVPN server (v2.4) to allow project partners access to our data center. For project partner A I set up a CCD file to ensure a virtual static IPv4 address (topology subnet). Everything works fine.

Project partner B has many VPN clients each of which needs a unique virtual static IPv4 address. As the CCD files are based on Common Names (CN), one solution would be to create a unique user, a unique client CRT file and also a unique client KEY file. This approach is basically that one for project partner A.

Having already pointed out that the name of each CCD file is the CN, I tried the following approach:
1. Creating a "universal" client CRT and client KEY file, thus resulting in a "template CRT file". The CN is set to "ProjB".
2. Defining unique tokens serving as CNs; these tokens are "ProjB_client1" and "ProjB_client2".
3. Copying the CRT file (from step 1) and replacing in the copied files the CN entry "ProjB" by "ProjB_client1" and "ProjB_client2" respectively, leaving all other stuff in the copied files untouched.
4. Creating 2 CCD files "ProjB_client1" and "ProjB_client2".
5. Making project partner B install these modified CRT files (Note: Project partner B can successfully establish a connection to OpenVPN server with the original CRT file).
6. When establishing a connection with the modified CRT files (the original client KEY file is still in use and has not been exchanged), the following error messages show up:
Tue Oct 22 12:11:44 2019 OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Tue Oct 22 12:11:44 2019 Cannot load private key file /home/xxxx/OpenVPN/config/ProjB.key
Tue Oct 22 12:11:44 2019 Error: private key password verification failed
Tue Oct 22 12:11:44 2019 Exiting due to fatal error

There are several questions now:
1. What is basically wrong with my approach described above? (Only CN in client CRT file was replaced)?
2. Is there a better way of assigning virtual static IPv4 addresses for many VPN clients (my test was for 2 VPN clients only, but B has many VPN clients)?

Appreciating your answers.

Best regards
Dieter

Post Reply