OVPN server, DHCP and static IP clients and security issues

[nosenose3]

I have created a VPN with the following features: a server and many clients sharing the same certificate so that the server has the the duplicate-cn directive activated.

The network has external devices (50 and growing), office devices (5) and the server (Windows Server 2008). Everything works fine but I wonder if it is possible to configure an OpenVPN server with the following assumptions:

- External devices must have dynamic IP (duplicate-cn directive)
- Office devices must have a static IP so I will create a unique certificate for each one.
- Office devices must be able to communicate with external devices (eg open ssh sessions), (client-to-client directive)
- The server and office devices must be protected from possible attacks from external devices, i.e., the initialization of any communication (omitting the initial connection to the VPN) will always be from server or office devices to external devices.

This is the actual server conf:

Code: Select all

port 23259
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
server 10.8.0.0 255.255.255.0
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

and the actual client conf (same for all client devices):

Code: Select all

client
dev tun
proto udp
remote myServerIP 23259
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\client.crt"
key "C:\\Program Files\\OpenVPN\\config\\client.key"
ns-cert-type server
comp-lzo
verb 3

Is this possible?

Thanks!

[Traffic]

Yes it is possible.

You will probably find this helpful:
HOWTO: For OpenVPN Community Edition