Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense 2.3.4_1 username-as-common-name

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 3 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chriva
      last edited by

      Hi to all,
      I have a problem with openVPN on pfsense 2.3.4-RELEASE-p1 (amd64)  related ( I think) to openVPN username-as-common-name option
      The problem seems similar to https://forum.pfsense.org/index.php?topic=109814.15 , but is a different one.

      Problem:
      The clients connecting to VPN server get their ip based on the username, not the Certificate Name.

      Before:
      The behavior was correct in version 2.2.4-RELEASE (amd64)

      Details:
      Our users connect via VPN using devices with the specifica client certificate installed on it:

      • some user owns a single device, some user own two or more devices
      • each device is configured with a different certificate

      Pfsense\openVPN get authentication for users connecting to the VPN via LDAP to Windows Domain Controller

      For each certificate we have a CSO, pushing correct parameters to each client (IP address for example)

      With previous versions, we episodically had users authenticating with username instead of common name (usually after a server side config modification), but it was possible to revert to desired behaviour by modifying the option  in /var/etc/openvpn/server1.conf
      username-as-common-name
      to
      # username-as-common-name

      Since the update, the problem comes back immediately after a service restart, necessary for the previous change to take effect: making the VPN service unusable.

      Is it possible to disable the option username-as-common-name in some way?
      In the attachment you can have a edited versione of server configuration file.

      Thanks in advance.

      server1.conf.txt

      1 Reply Last reply Reply Quote 0
      • P
        PiBa
        last edited by

        Don't edit the configuration files, as you have noticed those changes are lost pretty soon..
        You can better edit the pfSense code that generates those configuration files, though that will also be lost when you upgrade pfSense to a new version..

        In /etc/inc/openvpn.inc remove or comment out the
        $conf .= "username-as-common-name\n";
        https://github.com/pfsense/pfsense/blob/61a8cc10858e49051a6976ccc7464ec34fd3ffce/src/etc/inc/openvpn.inc#L940

        that was added in 2008 it seems.. https://github.com/pfsense/pfsense/commit/3c11bd3c5b42e54f341b05f07bf27bc8131d80d3#diff-c12c4a41e9010812d2eebabf5c07ae88R358

        Other than that it might be nice to make it optional but apparently almost no-one finds this behavior a problem..

        1 Reply Last reply Reply Quote 0
        • C
          chriva
          last edited by

          On the previous releases (untill 2.2.4 for sure) it was enough to comment the line in configuration.
          But you solution is surely better: before I also needed to run a script every few minutes or so to detect the config changes (usually when the server config where changed).

          Surely I will do more experiments and testing: it seems to work as I expect now.

          Many thanks!

          1 Reply Last reply Reply Quote 0
          • M
            maverick_slo
            last edited by

            Hi!
            This should be made optional.

            Use case:
            Client has 2 devices, auth via AD.
            1 device PC other Ipad for example.
            So to assign each static IP there is only 1 way to do it = create 2 AD accounts.

            If there is no username as common name directive, you simply create 2 certs and assign 2 different IP addresses based on cert common name.

            And I have 130 clients with 2 devices which need different IPs so I can assign different access rules :)

            1 Reply Last reply Reply Quote 0
            • M
              maverick_slo
              last edited by

              Also keepalive directive should be configurable :)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.