Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Client specific overrides for multiple user certificates

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      snow
      last edited by

      Hello,

      I know that's possible to create client specific overrides for each user (e.g. to give them a specific ip address).
      Currently I'm testing  a scenario with multiple certificates per user. For an example, one VPN certificate for the users notebook and one for the users tablet, etc.

      The problem I have, it seems only the users "Username" is relevant in the client specific overrides settings.
      This means, the override is working only then, if the option "Common name" is set to the users "Username".
      When changing the option "Common name" to the common name set in one of the users certificates, the override is not working (e.g. specific static ip address).

      Is this a "normal" behaviour?

      p.s. I'm running on latest version 2.3.3-RELEASE.

      Thanks in advance,
      snow

      1 Reply Last reply Reply Quote 0
      • M Offline
        Mathiew
        last edited by

        It seems normal (to me)

        Check this option on the server :

        Enforce match : When authenticating users, enforce a match between the common name of the client certificate and the username given at login.

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          When using user auth, the username is treated as the common name for overrides, so that is normal.

          Enforcing the username/CN match is the correct way to ensure that users are not using certificates meant for other people.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • S Offline
            snow
            last edited by

            Hi,

            As suggested, I checked the option "Strict User-CN Matching" (Enforce match).

            But when trying to connect with OpenVPN client, I'm now getting the following error on client side:

            Mon Mar  6 14:55:19 2017 AUTH: Received control message: AUTH_FAILED
            Mon Mar  6 14:55:19 2017 SIGTERM[soft,auth-failure] received, process exiting

            The following will be displayed in OpenVPN server log:

            Mar 6 14:55:20 openvpn 72636 192.168.60.153:1194 [test_user1_cert1] Peer Connection Initiated with [AF_INET]192.168.60.153:1194
            Mar 6 14:55:20 openvpn 72636 192.168.60.153:1194 TLS Auth Error: Auth Username/Password verification failed for peer
            Mar 6 14:55:20 openvpn 72636 192.168.60.153:1194 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
            Mar 6 14:55:20 openvpn         Username does not match certificate common name (test_user1 != test_user1_cert1), access denied.

            To connect, I was using the username "test_user1" with certificate CN "test_user1_cert1".
            To get a statice IP address, I did create a client specific override with common name = "test_user1_cert1".

            For user "test_user1", I created 2 certificates. One with CN="test_user1_cert1" and one with CN="test_user1_cert2"

            If required, please find below some more information about the OpenVPN server config:

            Server mode: "Remote Access (SSL/TLS + User Auth)"
            Backend for authentication: "Local Database"
            Strict User-CN Matching: Enabled (Enforce match)

            Thanks in advance,
            snow

            1 Reply Last reply Reply Quote 0
            • M Offline
              Mathiew
              last edited by

              In your case, 1 user with 2 certificates I'm pretty sure you have to uncheck this.

              Cause if your certificates CN is test-user-cert1 and your user test-user1 there's no match then so no connection allowed… As the log says.

              But, I think... that you want 1 specific overrides for 2 different certificates… So I'm not sure you can do this.

              1 Reply Last reply Reply Quote 0
              • jimpJ Offline
                jimp Rebel Alliance Developer Netgate
                last edited by

                You need to generate new certificates with common names that match your usernames. Otherwise what you want to do is not possible.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • S Offline
                  snow
                  last edited by

                  This means I can use only one certificate per user?

                  What I would like to have would be multiple certificates per user.
                  For an example, to connect with OpenVPN from several devices (e.g. Notebook, Tablet, Android) at the same time and with the same user, but with different certificates on each of the devices.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ Offline
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    No, that is not viable if you wish to use overrides and perform strict user/cn matching.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.