My OpenVPN server config is set to "Server Mode = Remote Access (SSL/TLS + User Auth )".
I've created user-certificate for every user and made a Client Export for every user (Archive file with 3 files .key,.p12 & config file).
Each user also have a unique password. I'm not using TOTP.
But I can switch the .p12 file between the users on the clients and they can still establish a VPN connection to the server using another users .p12 file.
I thought the file was "paired" to the specific user?
I think OpenVPN only checks a certificate status (revoked/expired), not if the subject corresponds with the username.
https://blog.remibergsma.com/2013/02/27/improving-openvpn-security-by-revoking-unneeded-certificates/
Bart...