OpenVPN with TLS certs: one user/cert per IP?



  • pfsense-2.4.3p1, OpenVPN server for ThinClients ... I created one user with a user cert and set up the thin clients to authenticate with that user cert.

    works, but if there are 2 TCs connecting at the same time it looks as if they get the same client-VPN-IP ... bad.

    Is that related to authenticating with the same user cert? Do I have to set up one cert per TC?
    I found the setting "Duplicate Connection" in the OpenVPN-server-tab ... would that help? pls advise, thanks.



  • Yes, if you really want to do it with a singel user and cert, check "Duplicate Connection".



  • OK, we might try that. It would reduce maintenance complexity but is not as safe as possible, I know ...


  • Galactic Empire

    @sgw said in OpenVPN with TLS certs: one user/cert per IP?:

    works, but if there are 2 TCs connecting at the same time it looks as if they get the same client-VPN-IP ... bad.

    FreeRadius auth and framed IP addresses, I do it with my IPsec IKEv2 VPN ?

    "user1" Cleartext-Password := "xxxxxxxxxx", Simultaneous-Use := "1", Expiration := "Apr 11 2027"
    
    	Framed-IP-Address = 172.16.8.2,
    	Framed-IP-Netmask = 255.255.255.0,
    	Framed-Route = "0.0.0.0/0 172.16.8.1 1",
    
    "user2" Cleartext-Password := "xxxxxxxxxx", Simultaneous-Use := "1", Expiration := "Apr 11 2027"
    
    	Framed-IP-Address = 172.16.8.3,
    	Framed-IP-Netmask = 255.255.255.0,
    	Framed-Route = "0.0.0.0/0 172.16.8.1 1",
    

    It also allows me to create firewall rules per user if I need to.


  • Rebel Alliance Developer Netgate

    You want every user to have their own username and cert.

    If you put the same cert on every system, and one gets compromised, then you have to replace the cert on every single box.

    If you use individual certs, you only have to make a new cert for the one that was compromised.



  • I agree completely. But in this case we try to have generic TCs with one identical configuration.
    The configuration comes via IGEL UMS ... I can do individual config per TC but this complicates things.


  • Rebel Alliance Developer Netgate

    It may be convenient, but that is not a secure practice. It will almost certainly come back to bite you in the long run.



  • Ok, thanks, I will plan for one user/cert per TC then.

    EDIT: That means creating one user/cert per Thin Client on pfsense, and creating one specific profile (in terms of IGEL UMS) per TC (deploying the individual cert, configuring the VPN-connection to use that cert). Bit more work but manageable for 4 TCs as in my current case. btw: I plan to name the users/certs after the MAC of the TC to keep it traceable and not get something like user-names in there. OK?