Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN with Remote Access (SSL/TLS + User Auth) // Auth Certificate issue

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Diablo666 0
      last edited by

      Hi,

      I have Install and configure OpenVPN on Pfsense with (SSL/TLS + User Auth).

      Remote Access (SSL/TLS + User Auth)
Requires both certificates and username/password
Each user has a unique client configuration which includes their personal certificate and key
Most secure as there are multiple factors of authentication (TLS Key and Certificate that the user has, and the username/password they know)

      Everything is working fine, but suppose I have two users, A and B. When I try to connect with the profile (file .ovpn) of user B using the credentials of user A, it works.
      Additionally, when I remove the certificate of user A, for example, they can still connect to the VPN.
      My goal is, to link each user two his certificate and .ovpn file and if I remove the user certificate of a specific user, the .ovpn file becomes obsolete.
      Can you please help me understand and correct my configuration if needed?

      Best regards."

      BR.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Diablo666 0
        last edited by

        @Diablo666-0 said in OpenVPN with Remote Access (SSL/TLS + User Auth) // Auth Certificate issue:

        Everything is working fine, but suppose I have two users, A and B. When I try to connect with the profile (file .ovpn) of user B using the credentials of user A, it works.

        To avoid this, go to the server settings and check "Strict User-CN Matching" in the "Cryptographic Settings" section.
        Ensure that the CN in the client certificate matches the username.

        Additionally, when I remove the certificate of user A, for example, they can still connect to the VPN.

        Removing a valid client certificate is a bad idea at all. This cannot prohibit that the OpenVPN server is accepting it, because the server only verifies that the delivered client certificate is singed by the CA in use.
        To reject a client certificate you have to revoke it instead.

        Maybe you need to create a revocation list first (System > Certificates > Revocation) and add it the the OpenVPN server then.

        You may remove a certificate after its expiration though.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.