[SOLVED] OpenVPN Server client common name issue

Started by guest14517, August 22, 2016, 10:34:51 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 22, 2016, 10:34:51 AM
Hello,

i've setup an OpenVPN server using the wizard and it works as expected. But i have one issue which, right now, is kind of a dealbreaker for me. Here is the situation: I currently have one user, me, and two client certificated with different common names (like: user-thinkpad and user-android). The Problem is, that the OPNsense OpenVPN implementation appears to use the username as the common name! As soon as i connect to the vpn using any second connection, the first one gets terminated. I know it is possible to allow multiple same clients, but that is not what i want and not what i expect to work. I've setup a OpenVPN servers on bare linux machines in the past and i never had that problem. The certificates on both clients are correct, they have there own correct common names.

Has anyone run into this problem? Does anyone have a solution?

August 23, 2016, 10:09:37 AM #1
I think you're missing the "duplicate-cn" server entry:

http://www.linuxquestions.org/questions/linux-server-73/openvpn-duplicate-cn-recommendation-925896/


Cheers,
Franco
August 23, 2016, 04:17:31 PM #2
Quote from: opnsenseuser123 on August 22, 2016, 10:34:51 AMI know it is possible to allow multiple same clients, but that is not what i want and not what i expect to work

Hi, no, thats just not what i wanted. My problem is that the OPNsense OpenVPN server implementation seems to use the username as the common name and not the certificate common name... I dont want to use multiple usernames because im authenticating against an external ldap server.
August 23, 2016, 04:48:04 PM #3
Okay, looks like we use OpenVPN's "username-as-common-name" setting by default for TLS/user auth server types. I did not know that. It's been like this for at least 5 years from the looks of it, so please excuse my confusion.

You can try the following patch to verify from the command line by running this:

# opnsense-patch b2f4f1341

Note the patch is not final, and that it will be removed on firmware upgrades.

The code is here...

https://github.com/opnsense/core/commit/b2f4f1341d


Cheers,
Franco
August 23, 2016, 05:19:29 PM #4
...problems with two openVPN peer-to-peer servers on one box are totally unrelated?

https://forum.opnsense.org/index.php?topic=3545.0
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
August 24, 2016, 07:36:04 AM #5
Quote from: franco on August 23, 2016, 04:48:04 PM
# opnsense-patch b2f4f1341

Note the patch is not final, and that it will be removed on firmware upgrades.

The code is here...

https://github.com/opnsense/core/commit/b2f4f1341d

Hi Franco,

that patch solved my issue! I'm going on vaction today, maybe i'm able to supply a merge request in 2 weeks, so others are able to set that using the webui.

Danke! ;)
August 24, 2016, 07:47:11 AM #6
Thanks, neat. I will discuss with Ad and we'll likely add a GUI item for this that should make it into to 16.7.3. :)
August 24, 2016, 11:06:18 AM #7
Quote from: franco on August 24, 2016, 07:47:11 AM
Thanks, neat. I will discuss with Ad and we'll likely add a GUI item for this that should make it into to 16.7.3. :)

That would be really nice!
August 25, 2016, 04:24:19 PM #8
Just went in as a GUI option, thanks again for the report.
Print
Go Up Pages1
User actions