Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN with TLS certs: one user/cert per IP?

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 4 Posters 858 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sgw
      last edited by

      pfsense-2.4.3p1, OpenVPN server for ThinClients ... I created one user with a user cert and set up the thin clients to authenticate with that user cert.

      works, but if there are 2 TCs connecting at the same time it looks as if they get the same client-VPN-IP ... bad.

      Is that related to authenticating with the same user cert? Do I have to set up one cert per TC?
      I found the setting "Duplicate Connection" in the OpenVPN-server-tab ... would that help? pls advise, thanks.

      NogBadTheBadN 1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Yes, if you really want to do it with a singel user and cert, check "Duplicate Connection".

        1 Reply Last reply Reply Quote 0
        • S
          sgw
          last edited by

          OK, we might try that. It would reduce maintenance complexity but is not as safe as possible, I know ...

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad @sgw
            last edited by NogBadTheBad

            @sgw said in OpenVPN with TLS certs: one user/cert per IP?:

            works, but if there are 2 TCs connecting at the same time it looks as if they get the same client-VPN-IP ... bad.

            FreeRadius auth and framed IP addresses, I do it with my IPsec IKEv2 VPN ?

            "user1" Cleartext-Password := "xxxxxxxxxx", Simultaneous-Use := "1", Expiration := "Apr 11 2027"
            
            	Framed-IP-Address = 172.16.8.2,
            	Framed-IP-Netmask = 255.255.255.0,
            	Framed-Route = "0.0.0.0/0 172.16.8.1 1",
            
            "user2" Cleartext-Password := "xxxxxxxxxx", Simultaneous-Use := "1", Expiration := "Apr 11 2027"
            
            	Framed-IP-Address = 172.16.8.3,
            	Framed-IP-Netmask = 255.255.255.0,
            	Framed-Route = "0.0.0.0/0 172.16.8.1 1",
            

            It also allows me to create firewall rules per user if I need to.

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              You want every user to have their own username and cert.

              If you put the same cert on every system, and one gets compromised, then you have to replace the cert on every single box.

              If you use individual certs, you only have to make a new cert for the one that was compromised.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • S
                sgw
                last edited by

                I agree completely. But in this case we try to have generic TCs with one identical configuration.
                The configuration comes via IGEL UMS ... I can do individual config per TC but this complicates things.

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  It may be convenient, but that is not a secure practice. It will almost certainly come back to bite you in the long run.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • S
                    sgw
                    last edited by sgw

                    Ok, thanks, I will plan for one user/cert per TC then.

                    EDIT: That means creating one user/cert per Thin Client on pfsense, and creating one specific profile (in terms of IGEL UMS) per TC (deploying the individual cert, configuring the VPN-connection to use that cert). Bit more work but manageable for 4 TCs as in my current case. btw: I plan to name the users/certs after the MAC of the TC to keep it traceable and not get something like user-names in there. OK?

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.