TLS Authentication - have I misunderstood something?
-
Something is not right with my OpenVPN setup and I hope the clever people here can explain if I have misunderstood something.
I have followed the instructions to set up an OpenVPN server, configured with Remote Access (SSL/TLS + User Auth) and using local users. I have done the business with the CA cert, and I have created users, and user certs. Each user account has its own user cert.
I have exported the setup files and I have the expected .ovpn config file, the .key static key, and the .p12 TLS cert.
Everything works fine (Windows and Linux clients) and I can log in and use the VPN. So far so good.
Here's where it gets interesting. I have two computers, each with a different config because I log in with different user accounts from these two computers. Obviously on each computer the static key is the same, and the .p12 file is different. So:
- Computer A has the .p12 for user A
- Computer B has the .p12 for user B
I just realised that on computer B, I can log in with the user name and password for user A. The .p12 file for user A is NOT present on that computer.
I was under the impression that username + password + cert = successful login, and username + password + wrong-cert = failed login.
But this does not seem to be the case.
So my question is: how can I possibly log in as user A on a computer with the .p12 for user B? Is this abnormal, or is my understanding of how the .p12 certs work incorrect?
My config file looks like this:
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote <my ip="">1194 udp
lport 0
verify-x509-name "<cn>" name
auth-user-pass
pkcs12 <host>-udp-1194-<username>.p12
tls-auth <host>-udp-1194-<username>-tls.key 1
ns-cert-type server
comp-lzo adaptiveThe <cn>is the same for both users; is this the problem?
Many thanks for any enlightenment!</cn></username></host></username></host></cn></my>
-
I was under the impression that username + password + cert = successful login, and username + password + wrong-cert = failed login.
Got to the server settings and check "Strict User-CN Matching". Then it should behave the way you want.