Web lists-archives.com

Re: OpenVPN & Debian Stretch




On Tue, Sep 04, 2018 at 07:42:58PM -0400, Wayne Sallee wrote:
> Has anyone set up OpenVPN with ssh-keygen -t rsa ?
> 

Technically, you can do that.

In practice, you need to have a CA set up, of which easy-rsa is
the simplest choice.

Why? Revocation.

Let's suppose you have an SSH server. Because you are cautious,
you require SSH key auth. One day your laptop is stolen. It has
an SSH private key on it, so you go over to
~/.ssh/authorized_keys and delete the matching public key. Good, 
you have secured your server against unauthorized use of your
account.

OpenVPN doesn't do that. OpenVPN assumes that any properly
signed certificate is wonderful, and you can't get rid of one
just by removing a cert entry on your side. Instead, you need
to formally revoke the certificate, and keep it revoked until 
it reaches its expiration date.

https://community.openvpn.net/openvpn/wiki/Hardening

-dsr-