I had Mikrotik CHR installed on a Virtual Machine and an OpenVPN server was running on it . For some reason I had to move the Virtual Machine to a new IP and after that I noticed that I can’t use the same OpenVPN certificates on the new IP.
I ended up creating new certificates and sending all clients a new version of OVPN config file.
Now , my question is :
Is there any way for me to create certificates that will work even if the IP of virtual machine is changed? Is there anything I can do so that I could move these certificates to another VPS and they would work?
What I’m trying to achieve here is to not need to send all clients a new OVPN file everytime I have to change my VPS IP.
To put @patrikg’s suggestion into context: the purpose of using a certificate at server side is to allow the clients to verify that they are connecting (and revealing their credentials and all the payload traffic) to the intended server, not to an impersonating one or to a “man in the middle”. So the subject of the certificate must match the address of the server to which the client is configured to connect; the certificate subjects can be both IP numbers and domain names, but from the logic of the operation, if the IP address changes, so must the certificate if the client is configured to connect to an IP address rather than a domain name. To verify that the device that presents the certificate is indeed its real owner, the client uses a challenge-response method to verify that the server has access to the private key of the certificate, which, in contrary to the certificate itself, can only be obtained using a management interface (or not at all).
If you don’t have a DNS, and you don’t want or cannot manipulate an equivalent of hosts file (static DNS resolutions) on each client, you can use a separate CA certificate and server certificate rather than a single self-signed server certificate; that way, you will have to create a new server certificate each time the IP address changes, but since you will use the same CA certificate to sign it, you won’t have to change the OpenVPN client settings at each change of server address if you set them to “trust any server that presents a certificate signed using this CA certificate”.
