Imbedding Multiple Certificates

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
buchbri
OpenVpn Newbie
Posts: 1
Joined: Mon Jul 04, 2022 2:39 pm

Imbedding Multiple Certificates

Post by buchbri » Mon Jul 04, 2022 2:49 pm

I have 2 locations with VPN set up. They are inter connected vias redundant connections.

I have OpenVPN install on the client side.

What I would like to do is have the users connect to the primary location and if that is down then try the secondary connection.

Because the Certificates are different I need to be able to select the certificate based on the location.

To further complicate this I have the Cert's imbedded so that there is a single file to send with all the config information.

Is this doable in a single config file?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Imbedding Multiple Certificates

Post by openvpn_inc » Wed Jul 06, 2022 3:30 pm

Hi buchbri,

You can't load configurations for multiple servers into one connection profile.

What you can do is run for example OpenVPN Access Server in cluster mode. The same configuration profile with same certificates will then be accepted by multiple servers, so that if one goes down, it can reconnect to any of the others.

You could also approach the problem on a higher level. Have 2 servers, 2 connection profiles, and set up a simple script that tells OpenVPN to connect to the first server with the first connection profile. And if that fails for some reason, tell it to use the second server with the second connection profile instead.

But in any case, trying to load 2 sets of certificates into 1 connection profile is not a supported use case.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Imbedding Multiple Certificates

Post by openvpn_inc » Thu Jul 07, 2022 5:39 pm

Hi,

Another possibility is to have the same TLS CA for both servers, so that the single client certificate will work in both places. Then multiple --remote lines in the same profile could point to different servers. (Note if you're using --auth-user-pass or any other kind of secondary authentication, both servers would need to have an entry for that user.)

This is in effect the same thing that using an Access Server cluster would do, but there, a single hostname would resolve to multiple nodes.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply