Jim's Depository

Things you will want to know if you have to replace your OpenVPN certificates, because say you got caught in the Debian key entropy problem.

• Don’t forget to also run build-key-server.
• Don’t forget to copy keys/server.* and ca.crt up to /etc/openvpn if that is where you keep them.
• Each windows client with old keys is going to chew up 30 slots in your server until they get new keys. If you have many users, you don’t have enough slots. The windows clients retry every two seconds, but it takes 60 seconds to time out on the server side.

I had to resort to grepping syslog and dropping firewall blocks on people trying old certificates. I used another script watching my http logs to unblock people who had created new certificates. “TLS Error: TLS key negotiation failed to occur within 60 seconds” is a good bit to select IPs for blocking.

You know you have too many clients connected if you see “MULTI: new incoming connection would exceed maximum number of clients“ in the syslog.