On Fri, Aug 14, 2009 at 7:46 AM, Keith Edmunds<kae@???> wrote:
> On Fri, 14 Aug 2009 07:42:07 +0100, sanelson@??? said:
>
>> I'm wondering how the
>> openvpn client knows where to find the keys?
>
> From the configuration file (the "ca", "cert" and "key" lines).
Obviously. I'd have struggled to have delivered a working VPN if I
didn't know that! Sorry if I gave the impression that I didn't
understand this - I plead lack of sleep and early-morning bleariness.
> It's not clear to me what problem you are attempting to solve - could you
> elucidate?
I'll try!
At present I have given each user a set of keys and certs, an openvpn
client config, and an openvpn client. In each client config, the path
to the keys is defined, for example /home/stephen/vpn/stephen.key, crt
etc. I haven't yet been able (at least with Tunnelblick on Macs) to
get the openvpn client to demand a passphrase, so if someone gains
access to their machine, they can get onto the VPN.
I am proposing that the keys live on an encrypted USB stick - one per
user. The user then inserts the stick into their machine, enters the
password, uses the keyfile or whatever method we choose to decrypt the
filesystem, and only then fires up the VPN.
My question concerned where in the filesystem the keys would appear.
It may not aways be the same - using automatic mounting, the user may
get /media/disk1 one day and /media/disk2 another, if something else
was mounted at disk1. I don't want users to change their config file.
You may assume I know how to handle this manually. You may assume my
users don't. I'd like their exerience to be as simple as: 1) User
inserts USB stick 2) User enters password 3) User fires up vpn client.
I'm also curious to know if anyone else is doing anything similar, and
can share whether it has been a success, what they might do
differently. Furthermore, I am open to alternative ways to increase
the security of the VPN setup.
Is that clearer?
Thanks!
S.
--
Stephen Nelson-Smith
Technical Director
Atalanta Systems Ltd
www.atalanta-systems.com
