Jim's Depository

this code is not yet written		 help
Notes on rekeying an OpenVPN server linux By jim, 6 months ago
Things you will want to know if you have to replace your OpenVPN certificates, because say you got caught in the Debian key entropy problem.
  • Don't forget to also run build-key-server.
  • Don't forget to copy keys/server.* and ca.crt up to /etc/openvpn if that is where you keep them.
  • Each windows client with old keys is going to chew up 30 slots in your server until they get new keys. If you have many users, you don't have enough slots. The windows clients retry every two seconds, but it takes 60 seconds to time out on the server side.
I had to resort to grepping syslog and dropping firewall blocks on people trying old certificates. I used another script watching my http logs to unblock people who had created new certificates. "TLS Error: TLS key negotiation failed to occur within 60 seconds" is a good bit to select IPs for blocking.

You know you have too many clients connected if you see "MULTI: new incoming connection would exceed maximum number of clients" in the syslog.
comment
The femtoblogger software is being written by Jim Studt. The content of this page is provided by anonymous individuals. If you believe something on this page is innapropriate contact Jim Studt.

Contribute

login
logout
post
create account (12 seconds)
recent comments

Filter

everything
coding
femtoblogger
language
linux

Search

Browsers

googlebot27.4%
yahoobot16.9%
IE 616.8%
Firefox10.9%
msnbot10.3%
Safari7.5%
hiding5.1%
IE 74.4%
Opera0.5%
Chrome0.1%
jeevesbot0.1%
iPhone0.0%
Konqueror0.0%

Archives

2008November2
October5
September1
August1
July2
June3
May3
April4
February1
January4
2007December1
November3
October8
September18