How to assign a user to a specific OpenVPN instance?
-
I have created two OpenVPN instances - the first one (port 1194) is for our external partner, they need to reach a specific computer in order to provide a tech support.
The other one runs on port 1195 and is meant for our employees.How do I assign our employee accounts to this second OpenVPN instance? One would say that's what the field "Backend for authentication" is for but I am not able to modify it, it only contains "Local Database" entry.
When I downloaded user configuration using Client Export Utility, I got files named <server>-udp-1194-<name>.<ext>. Tried them in my test laptop and it worked - but I connected the 1194 instance instead of 1195.</ext></name></server>
-
If you use SSL/TLS-Auth you have to create a separate CA for each server. Then create server certs und user certs using the particular CAs.
So only users who's cert is signed by the CA using by the appropriate server will be able connect to it.If you only use User Auth the only way is to use different user databases, like Radius or LDAP, but there is only one internal user database possible. You may add others in System > User Manager > Authentication Servers.
-
Yes, I use SSL/TLS (+ user auth) for my OpenVPN instances.
Thank you for your advice, that was it. So the lesson learned - you need to have a separate CA for a new OpenVPN instance. :)
I created a new CA, then both server and user certificates, assigned them to the 1195 OpenVPN instance and my user respectively. Then finally in Client Export Utility I could select a new entry in the Remote Access Server drop-down and my user was under this new server. Yes! Exported files had the correct name (with 1195) and worked as expected on my laptop. I only had to correct a few small bugs in my firewall rules.