OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: guest14517 on August 22, 2016, 10:34:51 am
-
Hello,
i've setup an OpenVPN server using the wizard and it works as expected. But i have one issue which, right now, is kind of a dealbreaker for me. Here is the situation: I currently have one user, me, and two client certificated with different common names (like: user-thinkpad and user-android). The Problem is, that the OPNsense OpenVPN implementation appears to use the username as the common name! As soon as i connect to the vpn using any second connection, the first one gets terminated. I know it is possible to allow multiple same clients, but that is not what i want and not what i expect to work. I've setup a OpenVPN servers on bare linux machines in the past and i never had that problem. The certificates on both clients are correct, they have there own correct common names.
Has anyone run into this problem? Does anyone have a solution?
(http://i.imgur.com/uUs9NAZ.png)
-
I think you're missing the "duplicate-cn" server entry:
http://www.linuxquestions.org/questions/linux-server-73/openvpn-duplicate-cn-recommendation-925896/
Cheers,
Franco
-
I know it is possible to allow multiple same clients, but that is not what i want and not what i expect to work
Hi, no, thats just not what i wanted. My problem is that the OPNsense OpenVPN server implementation seems to use the username as the common name and not the certificate common name... I dont want to use multiple usernames because im authenticating against an external ldap server.
-
Okay, looks like we use OpenVPN's "username-as-common-name" setting by default for TLS/user auth server types. I did not know that. It's been like this for at least 5 years from the looks of it, so please excuse my confusion.
You can try the following patch to verify from the command line by running this:
# opnsense-patch b2f4f1341
Note the patch is not final, and that it will be removed on firmware upgrades.
The code is here...
https://github.com/opnsense/core/commit/b2f4f1341d
Cheers,
Franco
-
...problems with two openVPN peer-to-peer servers on one box are totally unrelated?
https://forum.opnsense.org/index.php?topic=3545.0
-
# opnsense-patch b2f4f1341
Note the patch is not final, and that it will be removed on firmware upgrades.
The code is here...
https://github.com/opnsense/core/commit/b2f4f1341d
Hi Franco,
that patch solved my issue! I'm going on vaction today, maybe i'm able to supply a merge request in 2 weeks, so others are able to set that using the webui.
Danke! ;)
-
Thanks, neat. I will discuss with Ad and we'll likely add a GUI item for this that should make it into to 16.7.3. :)
-
Thanks, neat. I will discuss with Ad and we'll likely add a GUI item for this that should make it into to 16.7.3. :)
That would be really nice!
-
Just went in as a GUI option, thanks again for the report.