3

I have an OpenVPN gateway setup. A CA was created on the same server with Easy-RSA.

Each OpenVPN client has its own certificate-key pair issued with the aforementioned CA. Server has its own certificate and a private key.

While client's certificate and private key are indeed located on the client side and are used in the connection handshake, I see how OpenVPN server can identify a client connecting to it.

But the documentation to OpenVPN states that there is mutual authentication going on, meaning that no only client is authenticated on the server, but the server is authenticated (it's identity is being verified) with the client. How could the client check if the server is indeed the server its has intended to connect to?

My assumption is that since the client also has their common CA's cert, when the server will present its certificate, a client will try to verify it with the CA's cert. Is this how it will know that the server is the correct one?

forest
  • 64,616
  • 20
  • 206
  • 257
Maxim V. Pavlov
  • 231
  • 2
  • 7

1 Answers1

3

Yes, your guessing is correct. OpenVPN has a built-in certificate management feature. This is the role of the Easy-RSA, I am guessing you already know that. The Easy-RSA is an RSA key management package based on OpenSSL. It allows you to build your own root CA and generate and manage the client's certificate/key pairs and the server certificate/key pair. Then the mutual authentication (bi-directional-authentication) is out of the box.

The case will be different if you try to use an external CA. For example, if you want to use third-party tools for X509 PKI management. In this case, the OpenVPN access server will not manage client certificates directly. The external CA PKI software will be used to generate and distribute certificate/key pairs to client machines, and a server certificate/key pair to the OpenVPN server.

Ubaidah
  • 1,054
  • 6
  • 11