Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    TLS Authentication - have I misunderstood something?

    OpenVPN
    2
    2
    436
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      semprini last edited by

      Something is not right with my OpenVPN setup and I hope the clever people here can explain if I have misunderstood something.

      I have followed the instructions to set up an OpenVPN server, configured with Remote Access (SSL/TLS + User Auth) and using local users. I have done the business with the CA cert, and I have created users, and user certs. Each user account has its own user cert.

      I have exported the setup files and I have the expected .ovpn config file, the .key static key, and the .p12 TLS cert.

      Everything works fine (Windows and Linux clients) and I can log in and use the VPN. So far so good.

      Here's where it gets interesting. I have two computers, each with a different config because I log in with different user accounts from these two computers. Obviously on each computer the static key is the same, and the .p12 file is different. So:

      • Computer A has the .p12 for user A
      • Computer B has the .p12 for user B

      I just realised that on computer B, I can log in with the user name and password for user A. The .p12 file for user A is NOT present on that computer.

      I was under the impression that username + password + cert = successful login, and username + password + wrong-cert = failed login.

      But this does not seem to be the case.

      So my question is: how can I possibly log in as user A on a computer with the .p12 for user B? Is this abnormal, or is my understanding of how the .p12 certs work incorrect?

      My config file looks like this:

      dev tun
      persist-tun
      persist-key
      cipher AES-256-CBC
      auth SHA1
      tls-client
      client
      resolv-retry infinite
      remote <my ip="">1194 udp
      lport 0
      verify-x509-name "<cn>" name
      auth-user-pass
      pkcs12 <host>-udp-1194-<username>.p12
      tls-auth <host>-udp-1194-<username>-tls.key 1
      ns-cert-type server
      comp-lzo adaptive

      The <cn>is the same for both users; is this the problem?

      Many thanks for any enlightenment!</cn></username></host></username></host></cn></my>

      1 Reply Last reply Reply Quote 0
      • V
        viragomann last edited by

        @semprini:

        I was under the impression that username + password + cert = successful login, and username + password + wrong-cert = failed login.

        Got to the server settings and check "Strict User-CN Matching". Then it should behave the way you want.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy