[CentOS] Pptp vpn server

Wed Nov 3 15:41:20 UTC 2010
Paul Heinlein <heinlein at madboa.com>

On Wed, 3 Nov 2010, Ross Walker wrote:

> As always it's better to use internally generated certificates that 
> are password protected then either passwords or certificates alone. 
> Having said that these password protected certificates are a PITA to 
> distribute to users and to support remotely.

The biggest headache with OpenVPN is PKI. The OpenVPN source ships 
with some scripts for doing certificate authority work, but eventually 
the administrator has to figure out PKI for all but the very smallest 
of deployments.

That said, OpenVPN deals very nicely with certificate revocations, 
making it easy to void a certificate if a key is lost, stolen, or a 
victim of the HR department.

I agree that distributing password-protected keys is a pain. In a 
savvy environment, you can show people how to encrypt their own keys 
using the openssl binary (even on Windows), but that certainly doesn't 
work everywhere. On the upside, all the client OpenVPN GUIs I've used 
(Windows, Tunnelblick for Mac, NetworkManager) handle encrypted keys 
quite nicely these days, prompting for the passphrase at connection 

Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/