OpenVPN Client/User Management?



  • Now that I've got my test XP machine connecting to the pfSense OpenVPN server, my next question is how does client/user management scale?  I imagine I'm just missing something - but at a glance, and after doing some searching - isn't user/client management going to be somewhat painful?

    For instance, I'm generating client certificates from my Ubuntu box today - and let's say I've got a couple of hundred potential users (and thus certificates).  Currently, users connect using a PPTP user account.  My problem is how do I manage all those OpenVPN certificates?  Obviously we'll need to add the OpenVPN client to our client machine image.  But besides scriptomatically deploying connection certificates on a per-user basis, is there a better way?  Excuse the ignorance - but can I revoke user certificates from my Ubuntu machine - and if so how does that take effect within the OpenVPN server?  It seems as though there would not be an easy way to revoke a key - because how would OPenVPN know that it's been revoked, without revoking all keys?

    Thanks for the help!



  • Your questions have already been answered in the forum before.

    To summarize:
    Key managment should come in a future version.
    Until then you have to do it manually. Read the sticky to that.

    You can revoke single clients with the CRL (look at the webinterface for that and read about it on http://openVPN.net )

    pfSense is not much else than a GUI to the creation of the server-config-files.
    I you really want to use it you wont come around knowing how OpenVPN works.

    OpenVPN can run in two "modes".
    Shared Key and PKI.

    In a shared key setup you connect two computers. Not more.
    This is for site-to-site.

    In a PKI every client has his own key and vertificate. (you cant have the same key for multiple clients)
    This is for a RoadWarrior setup.


Log in to reply