I run an OpenVPN server (v2.4) to allow project partners access to our data center. For project partner A I set up a CCD file to ensure a virtual static IPv4 address (topology subnet). Everything works fine.
Project partner B has many VPN clients each of which needs a unique virtual static IPv4 address. As the CCD files are based on Common Names (CN), one solution would be to create a unique user, a unique client CRT file and also a unique client KEY file. This approach is basically that one for project partner A.
Having already pointed out that the name of each CCD file is the CN, I tried the following approach:
1. Creating a "universal" client CRT and client KEY file, thus resulting in a "template CRT file". The CN is set to "ProjB".
2. Defining unique tokens serving as CNs; these tokens are "ProjB_client1" and "ProjB_client2".
3. Copying the CRT file (from step 1) and replacing in the copied files the CN entry "ProjB" by "ProjB_client1" and "ProjB_client2" respectively, leaving all other stuff in the copied files untouched.
4. Creating 2 CCD files "ProjB_client1" and "ProjB_client2".
5. Making project partner B install these modified CRT files (Note: Project partner B can successfully establish a connection to OpenVPN server with the original CRT file).
6. When establishing a connection with the modified CRT files (the original client KEY file is still in use and has not been exchanged), the following error messages show up:
Tue Oct 22 12:11:44 2019 OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Tue Oct 22 12:11:44 2019 Cannot load private key file /home/xxxx/OpenVPN/config/ProjB.key
Tue Oct 22 12:11:44 2019 Error: private key password verification failed
Tue Oct 22 12:11:44 2019 Exiting due to fatal error
There are several questions now:
1. What is basically wrong with my approach described above? (Only CN in client CRT file was replaced)?
2. Is there a better way of assigning virtual static IPv4 addresses for many VPN clients (my test was for 2 VPN clients only, but B has many VPN clients)?
Appreciating your answers.
This is the forum to post your config. Include diagrams, usage graphs, and all the other goodies to show off your network.
1 post • Page 1 of 1