Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TLS Authentication - have I misunderstood something?

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      semprini
      last edited by

      Something is not right with my OpenVPN setup and I hope the clever people here can explain if I have misunderstood something.

      I have followed the instructions to set up an OpenVPN server, configured with Remote Access (SSL/TLS + User Auth) and using local users. I have done the business with the CA cert, and I have created users, and user certs. Each user account has its own user cert.

      I have exported the setup files and I have the expected .ovpn config file, the .key static key, and the .p12 TLS cert.

      Everything works fine (Windows and Linux clients) and I can log in and use the VPN. So far so good.

      Here's where it gets interesting. I have two computers, each with a different config because I log in with different user accounts from these two computers. Obviously on each computer the static key is the same, and the .p12 file is different. So:

      • Computer A has the .p12 for user A
      • Computer B has the .p12 for user B

      I just realised that on computer B, I can log in with the user name and password for user A. The .p12 file for user A is NOT present on that computer.

      I was under the impression that username + password + cert = successful login, and username + password + wrong-cert = failed login.

      But this does not seem to be the case.

      So my question is: how can I possibly log in as user A on a computer with the .p12 for user B? Is this abnormal, or is my understanding of how the .p12 certs work incorrect?

      My config file looks like this:

      dev tun
      persist-tun
      persist-key
      cipher AES-256-CBC
      auth SHA1
      tls-client
      client
      resolv-retry infinite
      remote <my ip="">1194 udp
      lport 0
      verify-x509-name "<cn>" name
      auth-user-pass
      pkcs12 <host>-udp-1194-<username>.p12
      tls-auth <host>-udp-1194-<username>-tls.key 1
      ns-cert-type server
      comp-lzo adaptive

      The <cn>is the same for both users; is this the problem?

      Many thanks for any enlightenment!</cn></username></host></username></host></cn></my>

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        @semprini:

        I was under the impression that username + password + cert = successful login, and username + password + wrong-cert = failed login.

        Got to the server settings and check "Strict User-CN Matching". Then it should behave the way you want.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.