Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Client Specific Override users duplicate cert

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 638 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeff3820
      last edited by

      I've added "duplicate-cn" to my openvpn server configuration and it works perfectly for users that don't have a client specific override. I have a few users which are configured with client specific overrides to restrict access and in their case if they use the same .ovpn file configuration with multiple devices they receive the same tunnel address and the openvpn response is horrible...basically one device at a time. Is there any way to use a client specific override so I can share a single cert and have openvpn assign a different tunnel address? Each user with a client specific override has a /30 address specified so there are 4 addresses available but only one is being used.

      Suggestions? I have configured multiple user names for now but it would be easier to share the cert.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        If they are all using the same cert, they all have the same common name. How is it supposed to tell them apart?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        J 1 Reply Last reply Reply Quote 0
        • J
          jeff3820 @Derelict
          last edited by

          @Derelict I understand...I was hoping the duplicate-cn setting would work with the CSO users as well and since they are configured with a /30 address it could "increment" the IP address as with non-CSO users using the same common name.

          Essentially, I have to configure CSO users and think of them having static IPs unless there is another way

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Again, how is it supposed to tell the difference between the users when the CN is the same?

            Why not just issue the users their own certificates?

            It's more secure that way.

            It can turn out being less inconvenient as if the key gets compromised you have to re-deploy everyone's certificate instead of just revoking that one.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J
              jeff3820
              last edited by

              That's exactly what I have done. I was looking for an easier way to administer for CSO users with multiple devices (iPhone and iPad). When sharing the cert didn't work, I assigned a new username/cert for each device. It's workable but cumbersome when users have a PC, iPhone, iPad, and possibly an Android device.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.