The situation I have is one of omplete control of both the server and the one client that will connect to it. It's what I know as a "road-warrior" seup: I have my notbook connected to my LAN while I'm at home, I'd like to be able to connect to the LAN when I'm out on the road. Both systems are running Windows XP SP2, if it makes a difference.
I drilled exactly one hole in my firewall: port 1999, and I've got openvpn set up so that laptop connects to server using tcp port 1999. That's all working just fine. 1999 was selected somewhat arbitrarily, and can easilt be changed if there's a good reason to do so.
My limited understanding is that I can guarantee (*) the integrity of my connection if both ends verify that the certificate presented by the other end is signed by the same CA as generated the ca.crt. What does it take to ensure that OpenVPN will reject a connection with an inappropriate certificate, i.e. one that does not bear the signatuure of my CA. Or is there a better test?
(*) guarantee extends as far as can reasonably be expected. The NSA can probably break in if they really wanted to, but some skript kiddie two blocks from my house is pretty much out of luck.
Thanks in advance for any help.