Can I use the same client certificate in multiple OpenVPN tunnels to the same server?

Question

I have a simple setup like this:

SERVER ---- INTERNET ---- CLIENT

On SERVER I already have OpenVPN set up with a sertificate for CLIENT. On CLIENT I already have OpenVPN set up to contact the server using its key and this is working fine.

Now I would like to set up another OpenVPN connection between SERVER and CLIENT with different settings (lets say the first is TCP and the other is UDP for example).

In this scenario, can I reuse the certificate/key from the first connection in the configuration of the second?

Is this a good practice? Why/Why not? Any caveats to know about?

Answer 1

Sure that you can reuse it. I'd say it's preferred if your client is same machine / user. You can also use OpenVPN config directive duplicate-cn, which will tell OpenVPN daemon to accept multiple clients with the same certificate.

No, it is not good practice:

• because if one certificate compromises you may lose security in many points of your network,
• you can use CN field in SSL certificate which needs to be unique for every client to do many nice things in OpenVPN: for instance CN <-> OpenVPN IP address association, ccd config dir for each client (different configuration per client).

But it may be accepted in small networks or some configurations.