TLS Authentication - have I misunderstood something?



  • Something is not right with my OpenVPN setup and I hope the clever people here can explain if I have misunderstood something.

    I have followed the instructions to set up an OpenVPN server, configured with Remote Access (SSL/TLS + User Auth) and using local users. I have done the business with the CA cert, and I have created users, and user certs. Each user account has its own user cert.

    I have exported the setup files and I have the expected .ovpn config file, the .key static key, and the .p12 TLS cert.

    Everything works fine (Windows and Linux clients) and I can log in and use the VPN. So far so good.

    Here's where it gets interesting. I have two computers, each with a different config because I log in with different user accounts from these two computers. Obviously on each computer the static key is the same, and the .p12 file is different. So:

    • Computer A has the .p12 for user A
    • Computer B has the .p12 for user B

    I just realised that on computer B, I can log in with the user name and password for user A. The .p12 file for user A is NOT present on that computer.

    I was under the impression that username + password + cert = successful login, and username + password + wrong-cert = failed login.

    But this does not seem to be the case.

    So my question is: how can I possibly log in as user A on a computer with the .p12 for user B? Is this abnormal, or is my understanding of how the .p12 certs work incorrect?

    My config file looks like this:

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote <my ip="">1194 udp
    lport 0
    verify-x509-name "<cn>" name
    auth-user-pass
    pkcs12 <host>-udp-1194-<username>.p12
    tls-auth <host>-udp-1194-<username>-tls.key 1
    ns-cert-type server
    comp-lzo adaptive

    The <cn>is the same for both users; is this the problem?

    Many thanks for any enlightenment!</cn></username></host></username></host></cn></my>



  • @semprini:

    I was under the impression that username + password + cert = successful login, and username + password + wrong-cert = failed login.

    Got to the server settings and check "Strict User-CN Matching". Then it should behave the way you want.


Log in to reply