1. Home
  2. pfSense® Software
  3. OpenVPN
  4. TLS Authentication - have I misunderstood something?

TLS Authentication - have I misunderstood something?

  • S

    Something is not right with my OpenVPN setup and I hope the clever people here can explain if I have misunderstood something.

    I have followed the instructions to set up an OpenVPN server, configured with Remote Access (SSL/TLS + User Auth) and using local users. I have done the business with the CA cert, and I have created users, and user certs. Each user account has its own user cert.

    I have exported the setup files and I have the expected .ovpn config file, the .key static key, and the .p12 TLS cert.

    Everything works fine (Windows and Linux clients) and I can log in and use the VPN. So far so good.

    Here's where it gets interesting. I have two computers, each with a different config because I log in with different user accounts from these two computers. Obviously on each computer the static key is the same, and the .p12 file is different. So:

    • Computer A has the .p12 for user A
    • Computer B has the .p12 for user B

    I just realised that on computer B, I can log in with the user name and password for user A. The .p12 file for user A is NOT present on that computer.

    I was under the impression that username + password + cert = successful login, and username + password + wrong-cert = failed login.

    But this does not seem to be the case.

    So my question is: how can I possibly log in as user A on a computer with the .p12 for user B? Is this abnormal, or is my understanding of how the .p12 certs work incorrect?

    My config file looks like this:

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote <my ip="">1194 udp
    lport 0
    verify-x509-name "<cn>" name
    auth-user-pass
    pkcs12 <host>-udp-1194-<username>.p12
    tls-auth <host>-udp-1194-<username>-tls.key 1
    ns-cert-type server
    comp-lzo adaptive

    The <cn>is the same for both users; is this the problem?

    Many thanks for any enlightenment!</cn></username></host></username></host></cn></my>

    0
  • V

    @semprini:

    I was under the impression that username + password + cert = successful login, and username + password + wrong-cert = failed login.

    Got to the server settings and check "Strict User-CN Matching". Then it should behave the way you want.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy