Ciao Hessu,
just to share our experience in using OpenVPN solution to access CisarNet (http://wifi.cisar.it  for the map, http://www.cisarnet.it  for other services, ...),
Before to setup the solution (about three years ago), inside our working group we discussed about using named certificates, Certification Authority, user registration process, crypto and so on...
At the end, we decided just to share one only common signed key, and also permit free guest access without user identification  (just as equivalence to radio Push-To-Talk button), no crypto (for regulatory compliance in several country for radio ham radio communication, Italy included). Storing logs permit us to be compliant to law about taking care of timestamp, ip source of the VPN client peer and destination ip public address. Also, in this way we are extending in Italy the usage of amprnet, by managing directly the CIDR 44.208/16 subnet as Internet IP public Address.

I hope this help you to know our point of view, a little different from yours, but also useful for share several experiences (thanks to your well done guide on ampr wikis). We'd like also to know your (and others) opinion about Italian Cisar association approach to OpenVPN access.

Ciao from Italy.

IW0SAB Renzo.

>----Messaggio originale----
>Da: hessu@hes.iki.fi
>Data: 08/05/2013 0.42
>A: "AMPRNet working group"<44net@hamradio.ucsd.edu>
>Ogg: [44net] VPN access to AMPRNet using amateur X.509 certificates
>
>(Please trim inclusions from previous messages)
>_______________________________________________
>
>Hi,
>
>The AMPRNet might be more useful if it had:
>
>(1) more services which would be interesting to hams
>(2) more access to the AMPRNet
>
>Tonight I tried to attack (2) a bit. Access to the AMPRNet over the
>Internet could maybe be made easier to hams by allowing them to connect
>over VPNs instead of setting up their own IPIP tunnels at home, or trying
>to find a working radio gateway. After getting a VPN running it might be
>easier for them to set up a radio gateway, or some services. As discussed
>on the other mailing list, VPNs are easier to get up on NATed residential
>networks than IPIP tunnels.
>
>Setting up VPN user accounts and maintaining them can be a pain. It
>doesn't take a lot of weekly or monthly maintenance work to run a VPN
>service, but it can be a major pain to manage an user account database for
>thousands of hams and check if your users around the Internet are, in
>fact, licensed.
>
>It turns out that ARRL's Logbook of the World has already given out
>cryptographic X.509 certificates to 57334 amateur users, after verifying
>their license status against the FCC database (they send a postcard with a
>random token code to the FCC-listed snail-mail address to make sure they
>give the certificate to the right guy) or after looking at a paper
>photocopy of a license + a photo ID. I had to physically mail in a photo
>of my ham license and my driver's license and wait a couple weeks to get
>the cert. If they can get 50k contesters and DXers to work with
>certificates, maybe certs can work for the AMPRnet, too.
>
>Technically, we can validate if a VPN user is in possession of one of
>those certificates and the respective private key. Politically, K4JH asked
>the ARRL guys, and they said that they don't mind if we use them for other
>ham authentication needs. We can start accepting other CAs too once they
>come around. I plan to help SRAL, the Finnish amateur radio union, to set
>up a CA within their web site (they already have user accounts for
>members). I know ARRL isn't for everyone, but smaller clubs could set up
>CAs too, or even commercial entities - as long as we trust them to do the
>license validation in a proper manner.
>
>Tonight I hacked up an OpenVPN setup which authenticates users with LoTW
>certs, and wrote a little documentation:
>
>http://wiki.ampr.org/index.php/AMPRNet_VPN
>
>What do you think? Technically, it seems to work - try it out if you like.
>It's not very straightforward to set up, but the license validation is
>pretty strong, and running the service shouldn't be a lot of work. There
>can be many VPN servers around the world, serving the whole customer base
>(VPN servers do not need access to any central user database, they just
>need the certificates of the trusted CAs). With a little Dynamic DNS
>magic, you could get a oh7lzb.vpn.ampr.org hostname on DNS within a few
>seconds after connecting (I've got code for that in another project).
>
>(Yes, eventually certificates need to be revoked after they accidentally
>get into wrong hands, or ham licenses are revoked. Technically that can be
>done using CRLs and/or OCSP, but ARRL apparently does not do those yet.
>Maybe they will, if the need arises. We can also set up a blocked
>certificates list of our own.)
>
>   - Hessu, OH7LZB
>
>_________________________________________
>44Net mailing list
>44Net@hamradio.ucsd.edu
>http://hamradio.ucsd.edu/mailman/listinfo/44net
>http://www.ampr.org/donate.html
>