From: Timothy M. <gay...@ei...> - 2009-04-24 11:51:59
|
William Maddler wrote: >> I have (had) an openvpn client in a distant land, >> which I won't be visiting for a few weeks. >> >> This remote machine is called "martha", running Fedora-10. >> >> My server is www.gayleard.com, running Centos-5.3. >> >> When creating a certificate for martha, with easy-rsa's build-key, >> I originally gave www.gayleard.com as "hostname or server-name", >> not realising that this last part of the cn-name >> is used by openvpn to identify clients. >> >> However, I also gave this answer >> when creating certificates for other clients, >> with the result that there was some duplication of IP addresses, >> causing confusion. >> >> So I decided to re-create certificates for all the clients, >> using their hostnames instead. >> This worked fine for the local machines. >> But when I applied it to martha, and re-started openvpn >> on this remote machine, I lost contact with martha >> and have not heard from her since. >> >> I should have said that connection with martha worked perfectly >> when I used the server-name in creating martha's certificates. >> >> So I guess my question, if there is one, is: >> should one treat remote and local clients differently in this respect, >> ie should one use the server-name in certificates for remote clients? >> >> Any elucidation gratefully received. > You can put whatever you want in the CN field. That field is used to > match configuration on server. I'm not sure what you are saying. As I said, putting the server-name into more than one client CN caused confusion, as both clients got the same tun0 IP address. But I'm not clear why changing the CN name in the certificates for the remote client seemed to stop it running. (I have not way at the moment of communicating with it, so cannot tell what the problem was.) It did seem from my brief experience with OpenVPN that local and remote clients were not treated in the same way, even apart from firewall issues. > Have you checked clients' configuration files on server system? Do you mean files like /etc/openvpn/ccd/martha ? This contains the single line ifconfig-push 192.168.5.10 192.168.5.9 Should there be anything else in the file? -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College Dublin |