OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • [SOLVED] OpenVPN Server client common name issue
« previous next »
  • Print
Pages: [1]

Author Topic: [SOLVED] OpenVPN Server client common name issue  (Read 8755 times)

guest14517

  • Guest
[SOLVED] OpenVPN Server client common name issue
« on: August 22, 2016, 10:34:51 am »
Hello,

i've setup an OpenVPN server using the wizard and it works as expected. But i have one issue which, right now, is kind of a dealbreaker for me. Here is the situation: I currently have one user, me, and two client certificated with different common names (like: user-thinkpad and user-android). The Problem is, that the OPNsense OpenVPN implementation appears to use the username as the common name! As soon as i connect to the vpn using any second connection, the first one gets terminated. I know it is possible to allow multiple same clients, but that is not what i want and not what i expect to work. I've setup a OpenVPN servers on bare linux machines in the past and i never had that problem. The certificates on both clients are correct, they have there own correct common names.

Has anyone run into this problem? Does anyone have a solution?

Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13692
  • Karma: 1176
    • View Profile
Re: OpenVPN Server client common name issue
« Reply #1 on: August 23, 2016, 10:09:37 am »
I think you're missing the "duplicate-cn" server entry:

http://www.linuxquestions.org/questions/linux-server-73/openvpn-duplicate-cn-recommendation-925896/


Cheers,
Franco
Logged

guest14517

  • Guest
Re: OpenVPN Server client common name issue
« Reply #2 on: August 23, 2016, 04:17:31 pm »
Quote from: opnsenseuser123 on August 22, 2016, 10:34:51 am
I know it is possible to allow multiple same clients, but that is not what i want and not what i expect to work

Hi, no, thats just not what i wanted. My problem is that the OPNsense OpenVPN server implementation seems to use the username as the common name and not the certificate common name... I dont want to use multiple usernames because im authenticating against an external ldap server.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13692
  • Karma: 1176
    • View Profile
Re: OpenVPN Server client common name issue
« Reply #3 on: August 23, 2016, 04:48:04 pm »
Okay, looks like we use OpenVPN's "username-as-common-name" setting by default for TLS/user auth server types. I did not know that. It's been like this for at least 5 years from the looks of it, so please excuse my confusion.

You can try the following patch to verify from the command line by running this:

# opnsense-patch b2f4f1341

Note the patch is not final, and that it will be removed on firmware upgrades.

The code is here...

https://github.com/opnsense/core/commit/b2f4f1341d


Cheers,
Franco
Logged

chemlud

  • Hero Member
  • *****
  • Posts: 2050
  • Karma: 93
    • View Profile
Re: OpenVPN Server client common name issue
« Reply #4 on: August 23, 2016, 05:19:29 pm »
...problems with two openVPN peer-to-peer servers on one box are totally unrelated?

https://forum.opnsense.org/index.php?topic=3545.0
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

guest14517

  • Guest
Re: OpenVPN Server client common name issue
« Reply #5 on: August 24, 2016, 07:36:04 am »
Quote from: franco on August 23, 2016, 04:48:04 pm
# opnsense-patch b2f4f1341

Note the patch is not final, and that it will be removed on firmware upgrades.

The code is here...

https://github.com/opnsense/core/commit/b2f4f1341d

Hi Franco,

that patch solved my issue! I'm going on vaction today, maybe i'm able to supply a merge request in 2 weeks, so others are able to set that using the webui.

Danke! ;)
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13692
  • Karma: 1176
    • View Profile
Re: OpenVPN Server client common name issue
« Reply #6 on: August 24, 2016, 07:47:11 am »
Thanks, neat. I will discuss with Ad and we'll likely add a GUI item for this that should make it into to 16.7.3. :)
Logged

guest14517

  • Guest
Re: OpenVPN Server client common name issue
« Reply #7 on: August 24, 2016, 11:06:18 am »
Quote from: franco on August 24, 2016, 07:47:11 am
Thanks, neat. I will discuss with Ad and we'll likely add a GUI item for this that should make it into to 16.7.3. :)

That would be really nice!
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13692
  • Karma: 1176
    • View Profile
Re: OpenVPN Server client common name issue
« Reply #8 on: August 25, 2016, 04:24:19 pm »
Just went in as a GUI option, thanks again for the report.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • [SOLVED] OpenVPN Server client common name issue
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2