Re: OpenVPN & Debian Stretch

To: Wayne Sallee <Wayne@WayneSallee.com>
Cc: debian-user@lists.debian.org
Subject: Re: OpenVPN & Debian Stretch
From: Dan Ritter <dsr@randomstring.org>
Date: Tue, 4 Sep 2018 20:04:55 -0400
Message-id: <[🔎] 20180905000455.7wmdr3ouf3bfaikx@randomstring.org>
In-reply-to: <[🔎] 43eb1e48-2a7d-4445-586d-ce2786967f2f@WayneSallee.com>
References: <[🔎] CAG9XMTuFBuSf4A1QWVETPXs9dfEcgCy-1kJp5W31Q-jzR3NfHg@mail.gmail.com> <[🔎] slrnpou5k3.u91.dan@xps-linux.djph.net> <[🔎] 43eb1e48-2a7d-4445-586d-ce2786967f2f@WayneSallee.com>

On Tue, Sep 04, 2018 at 07:42:58PM -0400, Wayne Sallee wrote:
> Has anyone set up OpenVPN with ssh-keygen -t rsa ?
> 

Technically, you can do that.

In practice, you need to have a CA set up, of which easy-rsa is
the simplest choice.

Why? Revocation.

Let's suppose you have an SSH server. Because you are cautious,
you require SSH key auth. One day your laptop is stolen. It has
an SSH private key on it, so you go over to
~/.ssh/authorized_keys and delete the matching public key. Good, 
you have secured your server against unauthorized use of your
account.

OpenVPN doesn't do that. OpenVPN assumes that any properly
signed certificate is wonderful, and you can't get rid of one
just by removing a cert entry on your side. Instead, you need
to formally revoke the certificate, and keep it revoked until 
it reaches its expiration date.

https://community.openvpn.net/openvpn/wiki/Hardening

-dsr-

Reply to:

Follow-Ups:
- Re: OpenVPN & Debian Stretch
  - From: Dan Purgert <dan@djph.net>

References:
- OpenVPN & Debian Stretch
  - From: "Josh W." <joshw8104@gmail.com>
- Re: OpenVPN & Debian Stretch
  - From: Dan Purgert <dan@djph.net>
- Re: OpenVPN & Debian Stretch
  - From: Wayne Sallee <Wayne@WayneSallee.com>

Prev by Date: Re: OpenVPN & Debian Stretch
Next by Date: sound card problem
Previous by thread: Re: OpenVPN & Debian Stretch
Next by thread: Re: OpenVPN & Debian Stretch
Index(es):
- Date
- Thread