Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to assign a user to a specific OpenVPN instance?

    OpenVPN
    2
    3
    475
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Pontiac_CZ
      last edited by

      I have created two OpenVPN instances - the first one (port 1194) is for our external partner, they need to reach a specific computer in order to provide a tech support.
      The other one runs on port 1195 and is meant for our employees.

      How do I assign our employee accounts to this second OpenVPN instance? One would say that's what the field "Backend for authentication" is for but I am not able to modify it, it only contains "Local Database" entry.

      When I downloaded user configuration using Client Export Utility, I got files named <server>-udp-1194-<name>.<ext>.  Tried them in my test laptop and it worked - but I connected the 1194 instance instead of 1195.</ext></name></server>

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        If you use SSL/TLS-Auth you have to create a separate CA for each server. Then create server certs und user certs using the particular CAs.
        So only users who's cert is signed by the CA using by the appropriate server will be able connect to it.

        If you only use User Auth the only way is to use different user databases, like Radius or LDAP, but there is only one internal user database possible. You may add others in System > User Manager > Authentication Servers.

        1 Reply Last reply Reply Quote 0
        • P
          Pontiac_CZ
          last edited by

          Yes, I use SSL/TLS (+ user auth) for my OpenVPN instances.

          Thank you for your advice, that was it. So the lesson learned - you need to have a separate CA for a new OpenVPN instance.  :)

          I created a new CA, then both server and user certificates, assigned them to the 1195 OpenVPN instance and my user respectively. Then finally in Client Export Utility I could select a new entry in the  Remote Access Server drop-down and my user was under this new server. Yes! Exported files had the correct name (with 1195) and worked as expected on my laptop. I only had to correct a few small bugs in my firewall rules.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.