[SOLVED] OpenVPN Server client common name issue

[opnsenseuser123]

Hello,

i've setup an OpenVPN server using the wizard and it works as expected. But i have one issue which, right now, is kind of a dealbreaker for me. Here is the situation: I currently have one user, me, and two client certificated with different common names (like: user-thinkpad and user-android). The Problem is, that the OPNsense OpenVPN implementation appears to use the username as the common name! As soon as i connect to the vpn using any second connection, the first one gets terminated. I know it is possible to allow multiple same clients, but that is not what i want and not what i expect to work. I've setup a OpenVPN servers on bare linux machines in the past and i never had that problem. The certificates on both clients are correct, they have there own correct common names.

Has anyone run into this problem? Does anyone have a solution?

[franco]

I think you're missing the "duplicate-cn" server entry:

http://www.linuxquestions.org/questions/linux-server-73/openvpn-duplicate-cn-recommendation-925896/


Cheers,
Franco

[opnsenseuser123]

I know it is possible to allow multiple same clients, but that is not what i want and not what i expect to work

Hi, no, thats just not what i wanted. My problem is that the OPNsense OpenVPN server implementation seems to use the username as the common name and not the certificate common name... I dont want to use multiple usernames because im authenticating against an external ldap server.

[franco]

Okay, looks like we use OpenVPN's "username-as-common-name" setting by default for TLS/user auth server types. I did not know that. It's been like this for at least 5 years from the looks of it, so please excuse my confusion.

You can try the following patch to verify from the command line by running this:

# opnsense-patch b2f4f1341

Note the patch is not final, and that it will be removed on firmware upgrades.

The code is here...

https://github.com/opnsense/core/commit/b2f4f1341d


Cheers,
Franco

[chemlud]

...problems with two openVPN peer-to-peer servers on one box are totally unrelated?

https://forum.opnsense.org/index.php?topic=3545.0

[opnsenseuser123]

# opnsense-patch b2f4f1341

Note the patch is not final, and that it will be removed on firmware upgrades.

The code is here...

https://github.com/opnsense/core/commit/b2f4f1341d

Hi Franco,

that patch solved my issue! I'm going on vaction today, maybe i'm able to supply a merge request in 2 weeks, so others are able to set that using the webui.

Danke!

[franco]

Thanks, neat. I will discuss with Ad and we'll likely add a GUI item for this that should make it into to 16.7.3.

[opnsenseuser123]

Thanks, neat. I will discuss with Ad and we'll likely add a GUI item for this that should make it into to 16.7.3.

That would be really nice!

[franco]

Just went in as a GUI option, thanks again for the report.