Multiple devices shared between multiple users.
-
Hi,
I am trying to set up openvpn in a way that will allow me to have a seperate certificate for each device while also allowing any user to login on any company device with their own username and password. I would also like each user to be able to login on more than one device at a time. Is this possible? i have tried to create extra user certificates in the cert manager and have added them to one of the devices but it seems if the same user is signed in from 2 different devices, even with seperate certificates, they get the same ip address and it doesn't work.
I know i can enable duplicate connections but can this be done without doing that? Also what are the issues with enabling duplicate connections if it turns out i need to do that?
I am planning on having laptops in some of the company vehicles that can connect to the company network as well as be able to connect from home.
Thanks
-
is enabling duplicate connections and just allowing multiple devices to have the same certificate the only way to do this?
-
If the certs have different CN each client should get another IP. However, if you have different CN you cannot use "Strict User-CN Matching".
Why don't you want to enable "Duplicate Connection"? That option would be the easiest way to solve your issue.
-
I've checked and the 2 certificates do have different CN's but they are both still getting the same IP. I am currently using my phone and my laptop which is tethered to my phone to test this. I assume i am supposed to select "create an internal certificate" when i create new certificates for the devices? this is what i have done so far.
Also what ties the certificate to a user account in PFSense? Does the CN or the descriptive name have to match the username? The first certificate that was created through the user manager is tied to the user account that was created at the same time in the client export tool, but the second certificate i created later doesn't show up in the client export tool.
As for the duplicate connections, the only reason i haven't enabled it is because it says it is not generally recommended.
I have just tried enabling duplicate connections and they are now getting different IPs so i guess it is working now with that enabled. Is there an easy way to export .ovpn files for each device with seperate certificates without having to manually add the certificates though?Also from what i understand so far the user account and the certificate are seperate things that are not tied to eachother, the server just confirms that they are both correct seperately before allowing access, is this correct?
Thanks
-
Also the inability to use "Strict User-CN Matching" is not something I was initially concerned about. Should I be concerned about this?
-
Yes, "create an internal certificate" is the way to go here.
If you don't want to use "Duplicate Connection" and you've different CNs you can also set up "client specific overrides" for each cert to get different IPs, but that's more of work.
Also what ties the certificate to a user account in PFSense? Does the CN or the descriptive name have to match the username?
Only the option "Strict User-CN Matching". If that isn't checked any user can go with any user cert from the CA used by the server.
Is there an easy way to export .ovpn files for each device with seperate certificates without having to manually add the certificates though?
Have you installed the openvpn-client-export package?
-
If you don't want to use "Duplicate Connection" and you've different CNs you can also set up "client specific overrides" for each cert to get different IPs, but that's more of work.
Ok, I will just keep duplicate connections enabled.
Have you installed the openvpn-client-export package?
Yes I have. It does show one configuration per user, but the other certificate i made does not show up there.
Also I am now unable to access the servers from my phone (android, Openvpn for android) through the VPN, not sure what happened there as the only thing i have changed is enabling duplicate connections. I tried disabling duplicate connections but no change. I can still connect to them from my laptop though, I'm guessing for some reason the routes are not being added to my phone.
Update: Well my phone is working fine on my home wifi, I guess it has something to do with the cell network…