OPNsense Forum
English Forums => Virtual private networks => Topic started by: spi39492 on February 12, 2022, 05:24:06 pm
-
Hi all
I have a self signed CA with the following structure
root ca
|
+--- intermediate1 - server certificates
+--- intermediate3 - client certificates for wifi and app authentication
+--- intermediate4 - site2site OpenVPN certificates
+-+- intermediate5 - for historical reasons: OpenVPN client certificates for road warriors
+--- Server Certificate for OpenVPN server: "gw_openvpn4clients"
+--- OpenVPN user 1
+--- ...
+--- OpenVPN user n
The opnsense server config for the OpenVPN server looks like:
Server Mode Remote Access (SSL/TLS)
Peer Certificate Authority intermediate5
Server Certificate gw_openvpn4clients
Clients can connect to the OpenVPN server using their client certificates issued by intermediate5.
Despite the setting of "Certificate Depth" also clients with client certificates issued by intermediate3 can connect - which I didn't expect as I thought the setting "Peer Certificate Authority" would limit access to certificates from this intermediate CA only.
In the Trust/Authorities section only the root CA, intermediate1, intermediate4 and intermediate5 are imported.
How can I configure OpenVPN to only allow clients with certificates issued by intermediate5 to connect?
Edit: I found a workaround by adding "verify-hash xx:xx:xx...;" to "Advanced" in the OpenVPN server setings. But it says that this option will be removed in future, so there might be a need for something else...
xx:xx:xx... is the fingerprint of intermediate5 in my case.
Thanks in advance,
spi