Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple devices shared between multiple users.

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jarrod1024
      last edited by

      Hi,

      I am trying to set up openvpn in a way that will allow me to have a seperate certificate for each device while also allowing any user to login on any company device with their own username and password. I would also like each user to be able to login on more than one device at a time. Is this possible? i have tried to create extra user certificates in the cert manager and have added them to one of the devices but it seems if the same user is signed in from 2 different devices, even with seperate certificates, they get the same ip address and it doesn't work.

      I know i can enable duplicate connections but can this be done without doing that? Also what are the issues with enabling duplicate connections if it turns out i need to do that?

      I am planning on having laptops in some of the company vehicles that can connect to the company network as well as be able to connect from home.

      Thanks

      1 Reply Last reply Reply Quote 0
      • J
        jarrod1024
        last edited by

        is enabling duplicate connections and just allowing multiple devices to have the same certificate the only way to do this?

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by

          If the certs have different CN each client should get another IP. However, if you have different CN you cannot use "Strict User-CN Matching".

          Why don't you want to enable "Duplicate Connection"? That option would be the easiest way to solve your issue.

          1 Reply Last reply Reply Quote 0
          • J
            jarrod1024
            last edited by

            I've checked and the 2 certificates do have different CN's but they are both still getting the same IP. I am currently using my phone and my laptop which is tethered to my phone to test this. I assume i am supposed to select "create an internal certificate" when i create new certificates for the devices? this is what i have done so far.

            Also what ties the certificate to a user account in PFSense? Does the CN or the descriptive name have to match the username? The first certificate that was created through the user manager is tied to the user account that was created at the same time in the client export tool, but the second certificate i created later doesn't show up in the client export tool.

            As for the duplicate connections, the only reason i haven't enabled it is because it says it is not generally recommended.
            I have just tried enabling duplicate connections and they are now getting different IPs so i guess it is working now with that enabled. Is there an easy way to export .ovpn files for each device with seperate certificates without having to manually add the certificates though?

            Also from what i understand so far the user account and the certificate are seperate things that are not tied to eachother, the server just confirms that they are both correct seperately before allowing access, is this correct?

            Thanks

            1 Reply Last reply Reply Quote 0
            • J
              jarrod1024
              last edited by

              Also the inability to use "Strict User-CN Matching" is not something I was initially concerned about. Should I be concerned about this?

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                Yes, "create an internal certificate" is the way to go here.

                If you don't want to use "Duplicate Connection" and you've different CNs you can also set up "client specific overrides" for each cert to get different IPs, but that's more of work.

                @jarrod1024:

                Also what ties the certificate to a user account in PFSense? Does the CN or the descriptive name have to match the username?

                Only the option "Strict User-CN Matching". If that isn't checked any user can go with any user cert from the CA used by the server.

                @jarrod1024:

                Is there an easy way to export .ovpn files for each device with seperate certificates without having to manually add the certificates though?

                Have you installed the openvpn-client-export package?

                1 Reply Last reply Reply Quote 0
                • J
                  jarrod1024
                  last edited by

                  If you don't want to use "Duplicate Connection" and you've different CNs you can also set up "client specific overrides" for each cert to get different IPs, but that's more of work.

                  Ok, I will just keep duplicate connections enabled.

                  Have you installed the openvpn-client-export package?

                  Yes I have. It does show one configuration per user, but the other certificate i made does not show up there.

                  Also I am now unable to access the servers from my phone (android, Openvpn for android) through the VPN, not sure what happened there as the only thing i have changed is enabling duplicate connections. I tried disabling duplicate connections but no change. I can still connect to them from my laptop though, I'm guessing for some reason the routes are not being added to my phone.

                  Update: Well my phone is working fine on my home wifi, I guess it has something to do with the cell network…

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.