OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: opnsenseuser123 on August 22, 2016, 10:34:51 am

Title: [SOLVED] OpenVPN Server client common name issue
Post by: opnsenseuser123 on August 22, 2016, 10:34:51 am
Hello,

i've setup an OpenVPN server using the wizard and it works as expected. But i have one issue which, right now, is kind of a dealbreaker for me. Here is the situation: I currently have one user, me, and two client certificated with different common names (like: user-thinkpad and user-android). The Problem is, that the OPNsense OpenVPN implementation appears to use the username as the common name! As soon as i connect to the vpn using any second connection, the first one gets terminated. I know it is possible to allow multiple same clients, but that is not what i want and not what i expect to work. I've setup a OpenVPN servers on bare linux machines in the past and i never had that problem. The certificates on both clients are correct, they have there own correct common names.

Has anyone run into this problem? Does anyone have a solution?

(http://i.imgur.com/uUs9NAZ.png)
Title: Re: OpenVPN Server client common name issue
Post by: franco on August 23, 2016, 10:09:37 am
I think you're missing the "duplicate-cn" server entry:

http://www.linuxquestions.org/questions/linux-server-73/openvpn-duplicate-cn-recommendation-925896/


Cheers,
Franco
Title: Re: OpenVPN Server client common name issue
Post by: opnsenseuser123 on August 23, 2016, 04:17:31 pm
I know it is possible to allow multiple same clients, but that is not what i want and not what i expect to work

Hi, no, thats just not what i wanted. My problem is that the OPNsense OpenVPN server implementation seems to use the username as the common name and not the certificate common name... I dont want to use multiple usernames because im authenticating against an external ldap server.
Title: Re: OpenVPN Server client common name issue
Post by: franco on August 23, 2016, 04:48:04 pm
Okay, looks like we use OpenVPN's "username-as-common-name" setting by default for TLS/user auth server types. I did not know that. It's been like this for at least 5 years from the looks of it, so please excuse my confusion.

You can try the following patch to verify from the command line by running this:

# opnsense-patch b2f4f1341

Note the patch is not final, and that it will be removed on firmware upgrades.

The code is here...

https://github.com/opnsense/core/commit/b2f4f1341d


Cheers,
Franco
Title: Re: OpenVPN Server client common name issue
Post by: chemlud on August 23, 2016, 05:19:29 pm
...problems with two openVPN peer-to-peer servers on one box are totally unrelated?

https://forum.opnsense.org/index.php?topic=3545.0
Title: Re: OpenVPN Server client common name issue
Post by: opnsenseuser123 on August 24, 2016, 07:36:04 am
# opnsense-patch b2f4f1341

Note the patch is not final, and that it will be removed on firmware upgrades.

The code is here...

https://github.com/opnsense/core/commit/b2f4f1341d

Hi Franco,

that patch solved my issue! I'm going on vaction today, maybe i'm able to supply a merge request in 2 weeks, so others are able to set that using the webui.

Danke! ;)
Title: Re: OpenVPN Server client common name issue
Post by: franco on August 24, 2016, 07:47:11 am
Thanks, neat. I will discuss with Ad and we'll likely add a GUI item for this that should make it into to 16.7.3. :)
Title: Re: OpenVPN Server client common name issue
Post by: opnsenseuser123 on August 24, 2016, 11:06:18 am
Thanks, neat. I will discuss with Ad and we'll likely add a GUI item for this that should make it into to 16.7.3. :)

That would be really nice!
Title: Re: OpenVPN Server client common name issue
Post by: franco on August 25, 2016, 04:24:19 pm
Just went in as a GUI option, thanks again for the report.