-1

Using OpenVPN, I can enable 2-way authentication with certificates, private keys and a CA-certificate.

In my understanding, this only provides authentication (the client is, who he says he is) but not authorization (access control). OpenVPN just assumes that a valid authentication is also an access authorization.

If I now run a second VPN server, using the same CA, will the clients of the first also have access to the second VPN?

If I want to avoid this - clients with keys/certs for the first VPN server should not be able to access the second VPN server (and reverse) - what are my options?

  • use a different CA for each server (ugly in my opinion)
  • use an access control list based on the common name (CN) (not so practical)
  • use firewall / iptables (not so practical)

Am I missing a way to somehow limit access of a certain client to a certain server?

Philipp
  • 4,659
  • 9
  • 48
  • 69

1 Answers1

0

Citing Jan Just Keijser from the OpenVPN forum

openvpn provides authentication, not access control (authorization), nor should it, in my opinion. The options you mention are the only options you have, unless you also want to throw in username+password control.

you could use a sub-CA (intermediary CA) ; each client cert would be signed by a specific sub-CA ; the clients need only the "root" CA to connect to a server, but the servers can allow access based on the sub-CA used for a client.

Philipp
  • 4,659
  • 9
  • 48
  • 69