You are not logged in.
- Topics: Active | Unanswered
#1 2023-08-05 23:16:16
- eom.dev
- Member
- Registered: 2022-02-11
- Posts: 57
Hosting OpenVPN (and Easy-RSA?)
Assuming the VPN and CA are different machines, does the CA need to remain active on the network once the files from Easy-RSA are generated? If not, would it be sensible to use my local machine as the CA?
This is a network of QEMU/KVM virtual machines. If the CA is to be an active node on the network, and the network is composed of vms, does it still make sense to separate the CA from the VPN both in terms of network security and in the generation of cryptographic keys?
Offline
#2 2023-08-06 07:17:39
- -thc
- Member
- Registered: 2017-03-15
- Posts: 516
Re: Hosting OpenVPN (and Easy-RSA?)
Assuming the VPN and CA are different machines, does the CA need to remain active on the network once the files from Easy-RSA are generated?
No.
If not, would it be sensible to use my local machine as the CA?
That depends on your level of security paranoia and the amount of follow-up work once the VPN is up. The heart of your PKI's security are the two files for your CA (key and certificate). Every other certificate can be revoked and checked by OpenVPN.
Offline
#3 2023-08-07 13:45:23
- eom.dev
- Member
- Registered: 2022-02-11
- Posts: 57
Re: Hosting OpenVPN (and Easy-RSA?)
That depends on your level of security paranoia and the amount of follow-up work once the VPN is up. The heart of your PKI's security are the two files for your CA (key and certificate). Every other certificate can be revoked and checked by OpenVPN.
Could you elaborate on this? What would the security concerns be, and what follow up work might be required for the CA machine?
Offline
#4 2023-08-07 14:24:40
- -thc
- Member
- Registered: 2017-03-15
- Posts: 516
Re: Hosting OpenVPN (and Easy-RSA?)
Ideally - from a strict security standpoint - the CA machine is completely isolated from any network. The issued certificates and keys must be transferred over this air gap - which would be cumbersome if you need a new VPN certificate every other day...
The most relaxed level would be to simply install EasyRSA on the VPN machine. In case of a compromise the PKI and VPN must be deleted and restarted from scratch - including all clients.
In between are any degrees of isolation between the CA and the VPN machine.
Offline