Client Specific Override users duplicate cert

  • I've added "duplicate-cn" to my openvpn server configuration and it works perfectly for users that don't have a client specific override. I have a few users which are configured with client specific overrides to restrict access and in their case if they use the same .ovpn file configuration with multiple devices they receive the same tunnel address and the openvpn response is horrible...basically one device at a time. Is there any way to use a client specific override so I can share a single cert and have openvpn assign a different tunnel address? Each user with a client specific override has a /30 address specified so there are 4 addresses available but only one is being used.

    Suggestions? I have configured multiple user names for now but it would be easier to share the cert.

  • LAYER 8 Netgate

    If they are all using the same cert, they all have the same common name. How is it supposed to tell them apart?

  • @Derelict I understand...I was hoping the duplicate-cn setting would work with the CSO users as well and since they are configured with a /30 address it could "increment" the IP address as with non-CSO users using the same common name.

    Essentially, I have to configure CSO users and think of them having static IPs unless there is another way

  • LAYER 8 Netgate

    Again, how is it supposed to tell the difference between the users when the CN is the same?

    Why not just issue the users their own certificates?

    It's more secure that way.

    It can turn out being less inconvenient as if the key gets compromised you have to re-deploy everyone's certificate instead of just revoking that one.

  • That's exactly what I have done. I was looking for an easier way to administer for CSO users with multiple devices (iPhone and iPad). When sharing the cert didn't work, I assigned a new username/cert for each device. It's workable but cumbersome when users have a PC, iPhone, iPad, and possibly an Android device.

Log in to reply