PFSense 2.3.4_1 username-as-common-name
-
Hi to all,
I have a problem with openVPN on pfsense 2.3.4-RELEASE-p1 (amd64) related ( I think) to openVPN username-as-common-name option
The problem seems similar to https://forum.pfsense.org/index.php?topic=109814.15 , but is a different one.Problem:
The clients connecting to VPN server get their ip based on the username, not the Certificate Name.Before:
The behavior was correct in version 2.2.4-RELEASE (amd64)Details:
Our users connect via VPN using devices with the specifica client certificate installed on it:- some user owns a single device, some user own two or more devices
- each device is configured with a different certificate
Pfsense\openVPN get authentication for users connecting to the VPN via LDAP to Windows Domain Controller
For each certificate we have a CSO, pushing correct parameters to each client (IP address for example)
With previous versions, we episodically had users authenticating with username instead of common name (usually after a server side config modification), but it was possible to revert to desired behaviour by modifying the option in /var/etc/openvpn/server1.conf
username-as-common-name
to
# username-as-common-nameSince the update, the problem comes back immediately after a service restart, necessary for the previous change to take effect: making the VPN service unusable.
Is it possible to disable the option username-as-common-name in some way?
In the attachment you can have a edited versione of server configuration file.Thanks in advance.
-
Don't edit the configuration files, as you have noticed those changes are lost pretty soon..
You can better edit the pfSense code that generates those configuration files, though that will also be lost when you upgrade pfSense to a new version..In /etc/inc/openvpn.inc remove or comment out the
$conf .= "username-as-common-name\n";
https://github.com/pfsense/pfsense/blob/61a8cc10858e49051a6976ccc7464ec34fd3ffce/src/etc/inc/openvpn.inc#L940that was added in 2008 it seems.. https://github.com/pfsense/pfsense/commit/3c11bd3c5b42e54f341b05f07bf27bc8131d80d3#diff-c12c4a41e9010812d2eebabf5c07ae88R358
Other than that it might be nice to make it optional but apparently almost no-one finds this behavior a problem..
-
On the previous releases (untill 2.2.4 for sure) it was enough to comment the line in configuration.
But you solution is surely better: before I also needed to run a script every few minutes or so to detect the config changes (usually when the server config where changed).Surely I will do more experiments and testing: it seems to work as I expect now.
Many thanks!
-
Hi!
This should be made optional.Use case:
Client has 2 devices, auth via AD.
1 device PC other Ipad for example.
So to assign each static IP there is only 1 way to do it = create 2 AD accounts.If there is no username as common name directive, you simply create 2 certs and assign 2 different IP addresses based on cert common name.
And I have 130 clients with 2 devices which need different IPs so I can assign different access rules :)
-
Also keepalive directive should be configurable :)