In OpenVPN deployments, client authentication typically uses one of these methods:
# Typical OpenVPN client configuration
client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA256
cipher AES-256-CBC
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----
</key>The private key and certificate pair (usually .key and .crt files) can technically be copied across multiple devices belonging to the same user. The OpenVPN server will see these connections as coming from the same identity. However, there are important considerations:
# Server-side verification (in server.conf)
verify-client-cert require
client-cert-not-required
script-security 2While technically possible, sharing keys across devices creates these security concerns:
- Compromise of one device exposes all devices using the same key
- No granular device-level revocation capability
- Difficulty tracking individual device connections
For business environments, consider these alternatives:
# Alternative 1: Per-device certificates
./easyrsa build-client-full laptop_jsmith nopass
./easyrsa build-client-full desktop_jsmith nopass
# Alternative 2: Use client-specific restrictions
ifconfig-pool-persist ipp.txt
client-config-dir ccd
# Then in ccd/jsmith file:
ifconfig-push 10.8.0.100 10.8.0.101When using shared certificates, revocation affects all devices:
# Revocation command affects all devices using this cert
./easyrsa revoke jsmith
./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn/server/For a balanced approach that maintains security while reducing management overhead:
#!/bin/bash
# Generate unique cert per device type
USER="jsmith"
DEVICES=("laptop" "desktop" "tablet")
for DEVICE in "${DEVICES[@]}"; do
./easyrsa build-client-full ${USER}_${DEVICE} nopass
# Generate separate config files
cat <<EOF > ${USER}_${DEVICE}.ovpn
client
dev tun
[...]
<cert>
$(cat pki/issued/${USER}_${DEVICE}.crt)
</cert>
<key>
$(cat pki/private/${USER}_${DEVICE}.key)
</key>
EOF
doneWhen examining connection logs, shared certificates make device identification impossible:
# Typical log entry with shared cert
2023-11-15 09:23:45 jsmith/10.8.0.2:1194 TLS: Initial packet from [AF_INET]203.0.113.45:54421
# With per-device certs
2023-11-15 09:23:45 jsmith_laptop/10.8.0.2:1194 TLS: Initial packet from [AF_INET]203.0.113.45:54421OpenVPN operates using a Public Key Infrastructure (PKI) where each client typically requires unique authentication credentials. The core components are:
# Typical OpenVPN client configuration
client
dev tun
proto udp
remote your.server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
<cert>
-----BEGIN CERTIFICATE-----
[client certificate]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[client private key]
-----END PRIVATE KEY-----
</key>
There are three common approaches to handle multiple devices:
- Single Key Sharing: Using identical credentials across devices (not recommended)
- Certificate per Device: Generating unique certificates for each device
- User Certificate with Device-Specific Configuration: Hybrid approach
Sharing the same key pair across multiple devices creates several vulnerabilities:
- Compromise of any device affects all devices
- No device-specific revocation capability
- Difficulty in auditing connection sources
For business environments, we recommend this certificate generation workflow:
# Generate unique certificates per device
#!/bin/bash
USERNAME="employee1"
DEVICES=("laptop" "desktop" "tablet")
for DEVICE in "${DEVICES[@]}"
do
./easyrsa build-client-full ${USERNAME}-${DEVICE} nopass
done
If you must share certificates, consider modifying the OpenVPN server configuration:
# In server.conf
duplicate-cn
This allows certificate sharing but requires additional security measures:
# Enable TLS control
tls-auth ta.key 0
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
Implement a certificate management system with these features:
# Sample revocation check script
#!/bin/bash
openssl crl -in crl.pem -noout -text | grep -A 1 "Serial Number"
Best practices include:
- Monthly certificate rotation
- Automated expiration alerts
- Device fingerprint logging