Client specific overrides for multiple user certificates



  • Hello,

    I know that's possible to create client specific overrides for each user (e.g. to give them a specific ip address).
    Currently I'm testing  a scenario with multiple certificates per user. For an example, one VPN certificate for the users notebook and one for the users tablet, etc.

    The problem I have, it seems only the users "Username" is relevant in the client specific overrides settings.
    This means, the override is working only then, if the option "Common name" is set to the users "Username".
    When changing the option "Common name" to the common name set in one of the users certificates, the override is not working (e.g. specific static ip address).

    Is this a "normal" behaviour?

    p.s. I'm running on latest version 2.3.3-RELEASE.

    Thanks in advance,
    snow



  • It seems normal (to me)

    Check this option on the server :

    Enforce match : When authenticating users, enforce a match between the common name of the client certificate and the username given at login.


  • Rebel Alliance Developer Netgate

    When using user auth, the username is treated as the common name for overrides, so that is normal.

    Enforcing the username/CN match is the correct way to ensure that users are not using certificates meant for other people.



  • Hi,

    As suggested, I checked the option "Strict User-CN Matching" (Enforce match).

    But when trying to connect with OpenVPN client, I'm now getting the following error on client side:

    Mon Mar  6 14:55:19 2017 AUTH: Received control message: AUTH_FAILED
    Mon Mar  6 14:55:19 2017 SIGTERM[soft,auth-failure] received, process exiting

    The following will be displayed in OpenVPN server log:

    Mar 6 14:55:20 openvpn 72636 192.168.60.153:1194 [test_user1_cert1] Peer Connection Initiated with [AF_INET]192.168.60.153:1194
    Mar 6 14:55:20 openvpn 72636 192.168.60.153:1194 TLS Auth Error: Auth Username/Password verification failed for peer
    Mar 6 14:55:20 openvpn 72636 192.168.60.153:1194 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
    Mar 6 14:55:20 openvpn         Username does not match certificate common name (test_user1 != test_user1_cert1), access denied.

    To connect, I was using the username "test_user1" with certificate CN "test_user1_cert1".
    To get a statice IP address, I did create a client specific override with common name = "test_user1_cert1".

    For user "test_user1", I created 2 certificates. One with CN="test_user1_cert1" and one with CN="test_user1_cert2"

    If required, please find below some more information about the OpenVPN server config:

    Server mode: "Remote Access (SSL/TLS + User Auth)"
    Backend for authentication: "Local Database"
    Strict User-CN Matching: Enabled (Enforce match)

    Thanks in advance,
    snow



  • In your case, 1 user with 2 certificates I'm pretty sure you have to uncheck this.

    Cause if your certificates CN is test-user-cert1 and your user test-user1 there's no match then so no connection allowed… As the log says.

    But, I think... that you want 1 specific overrides for 2 different certificates… So I'm not sure you can do this.


  • Rebel Alliance Developer Netgate

    You need to generate new certificates with common names that match your usernames. Otherwise what you want to do is not possible.



  • This means I can use only one certificate per user?

    What I would like to have would be multiple certificates per user.
    For an example, to connect with OpenVPN from several devices (e.g. Notebook, Tablet, Android) at the same time and with the same user, but with different certificates on each of the devices.


  • Rebel Alliance Developer Netgate

    No, that is not viable if you wish to use overrides and perform strict user/cn matching.