Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    User authentication

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 3 Posters 1.2k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Bob.DigB Offline
      Bob.Dig LAYER 8
      last edited by

      Maybe create different CA for every Server/User.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        ^ exactly you have to make sure your not sharing auth and or server settings (certs and ca) or yeah clients would be able to connect to anything that uses shared authing..

        You should be able to prevent users from connecting to different instances just by using different TLS keys even if the same CA for example.. So curious how you have these different instances setup.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        Bob.DigB 1 Reply Last reply Reply Quote 0
        • Bob.DigB Offline
          Bob.Dig LAYER 8 @johnpoz
          last edited by

          @johnpoz said in User authentication:

          by using different TLS keys even if the same CA for example..

          But the TLS Key is Server specific, not user?

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            the TLS key is instance specific... How would he be creating 7 servers if he didn't create 7 different instances..

            For example I have 2, one that runs on port 443 tcp, and another that runs on UDP 1194... They have different TLS keys.. Even if the same user can connect to both..

            vpnservers.jpg

            The user has 2 different config files to connect to either instance... If the client only has the TCP info, then he could only connect to the TCP instance - because even if he changed the port and protocl, etc. etc. his TLS key would be wrong for that instance... He would need to have that other TLS key.

            This is why I am confused at how he has this setup.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            Bob.DigB 1 Reply Last reply Reply Quote 0
            • Bob.DigB Offline
              Bob.Dig LAYER 8 @johnpoz
              last edited by Bob.Dig

              @johnpoz Right. I created two server but deliberately (as far as I can say with my little knowledge) with the same TLS Key, so that I could use the same Client-config file for both.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • B Offline
                bruno.trombim
                last edited by

                Thaaks Guys,

                Reading all anwser i could figure out that the mistake was create on CA_root and vinculate to all my others certificated even Server/User , so it means any user could access any certifcate chain !!!! i will fix it creating one CA for each Server/User

                thanks for helping

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator @Bob.Dig
                  last edited by johnpoz

                  @Bob-Dig said in User authentication:

                  TLS Key, so that I could use the same Client-config file for both.

                  Unless you did a manual input of the TLS key - it would be self generated and different! when you create the new instance.

                  If you wanted say your client to auto check both and connect to the first one that works, then sure you would need to do that.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  Bob.DigB 1 Reply Last reply Reply Quote 0
                  • Bob.DigB Offline
                    Bob.Dig LAYER 8 @johnpoz
                    last edited by

                    @johnpoz said in User authentication:

                    Unless you did a manual input of the TLS key - it would be self generated and different! when you create the new instance.

                    Yeah, I copied it over from the first instance.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      Yeah see mine are different

                      2020-03-25_131553.jpg

                      I don't want auto search for connection, etc. But user would have to have done that on PURPOSE!!! So why would there be a question to how its happening?

                      If you only want your users connecting to instance X... Why would you even give them the info in their config for the other instances, and the use the same TLS key... You can use the same CA for each instance... Not going to matter - because the TLS keys wouldn't match for their config.

                      So users can have certs signed by same CA, they could even all use the same backend to auth.. But locking them to a specific instance of your vpn server should be prevented by the config you give them and the TLS key... Give them config with only X tls key and only port and IP of instance(s) you want them to be able to connect too. If they on purpose change to different info - say they got it from their coworker.. That coworker wold also have to give them the TLS key.. In such a case there is really nothing you can do if uses are going to share their info.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      Bob.DigB 1 Reply Last reply Reply Quote 1
                      • Bob.DigB Offline
                        Bob.Dig LAYER 8 @johnpoz
                        last edited by

                        @johnpoz there are so many options...

                        Clipboard01.jpg

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ Offline
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Well if there only using user auth, then yeah they have a problem.. ;)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.