Unique CN, Common Username

  • I'm clearly confused about something here and hopeful there's an easy solution.

    pfSense is linked with Active Directory, and hence returns authentication for user 'janedoe' and her password.

    OpenVPN is set up with a certificate for each user and device. So I'm making a certificate for janedoe-ipad, janedoe-laptop. Hence each certificate is 100% unique per device and should never collide. That said janedoe is one login/password.

    Meanwhile, I was surprised when I saw disconnects every few minutes with the typical line as follows:

    MULTI: new connection by client 'janedoe' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.

    Now I understand I'm not supposed to use duplicate-cn and agree that I don't want duplicates coming in, which is why I made unique certificates in the first place to avoid this. Nevertheless, how do I deal with the same username but different certificate? Can I combine the common name to be both the device and the username? Can I make it keep certificates unique but allow multiple logins from the same user? Can I define what it uses for the common name (ie: the certificate common name versus the login common name)? Can I avoid it keeping logins unique (and is there any reason why I shouldn't)?

    What am I missing here? I can't be the first person to have multiple devices per user, no?

  • Rebel Alliance Developer Netgate

    OpenVPN, the way it's used here, assumes the username as the common name and not the common name of the certificate. This means that no matter what certificate you use, the connection is treated as though the supplied username is the name of reference for the user. This way things like client-specific overrides apply to the user no matter how they connect. Combining that with the "strict user/cn matching" option makes things more secure as it only allows the connection when both match.

    You could try to remove or comment out this line, but there may be other unintended side effects: https://github.com/pfsense/pfsense/blob/master/src/etc/inc/openvpn.inc#L980

  • Thank you. Will check it out. Reading more, seems I’m not the only one ( https://forum.netgate.com/topic/120215/pfsense-2-3-4_1-username-as-common-name/5 ). I’m curious why this isn’t an interface option, as it seems it would be really useful. A feature request maybe?

  • Rebel Alliance Developer Netgate

    It could be turned into a GUI option, but thus far nobody has taken the time to do it. We'd also have to locate and warn against the possible negative side effects of doing that.

Log in to reply