Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Duplicate common name

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 1 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cdenley
      last edited by

      Why are my users allowed to use duplicate common names? It causes the OpenVPN server to alternate between the two connections according to the log, but both clients seem to work fine. How do I enforce a certificate only being used from one client at a time? I thought this was the default, since I didn't add the duplicate-cn option anywhere.

      1 Reply Last reply Reply Quote 0
      • C
        cdenley
        last edited by

        The OpenVPN server doesn't seem to be launched with that option set, so I don't know why I'm able to connect with duplicate common names. This is possible with UDP, right?

        
# ps -x | grep "[o]penvpn"
  487  ??  Ss     0:22.78 openvpn --config /var/etc/openvpn_server0.conf
# cat /var/etc/openvpn_server0.conf
writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
server 10.3.0.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 10.4.0.0 255.255.254.0"
lport 1194
push "dhcp-option WINS 10.4.0.2"
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
comp-lzo
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
local 192.168.0.1
        1 Reply Last reply Reply Quote 0
        • C
          cdenley
          last edited by

          The server seems to be doing an "inactivity timeout", restarting the client's connection every minute, alternating between the two duplicates.

          
Wed Jan 20 16:15:42 2010 Initialization Sequence Completed
Wed Jan 20 16:17:33 2010 [server] Inactivity timeout (--ping-restart), restarting
Wed Jan 20 16:17:33 2010 TCP/UDP: Closing socket
Wed Jan 20 16:17:33 2010 SIGUSR1[soft,ping-restart] received, process restarting
Wed Jan 20 16:17:33 2010 Restart pause, 2 second(s)

          I will get this on client A one minute, then client B the next, then again on client A. If client A is connected, I would expect client B to simply fail to connect? Does it not work this way?

          1 Reply Last reply Reply Quote 0
          • C
            cdenley
            last edited by

            I figured it out. It was the "keepalive 10 60" option which is put in the server configuration automatically by pfsense. This should really be optional! That option in server mode is equivalent to:

            
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"

            This tells the client to restart the connection if it goes 60 seconds without a ping from the server. If client A connects, then client B connects with the same common name, client A loses their connection. However, client A doesn't realize it lost its connection until it never receives a ping from the server, which then results in client A restarting. Then the same happens to client B, then back and forth. Why would this be the default? I had to edit openvpn.inc to remove the "keepalive" option, then push "ping-exit" to the client instead of "ping-restart".

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.