Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Single Client Package, Multiple Users

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 4 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ieatfish
      last edited by

      We have almost 100 clients who need to connect at one point or another (and at least 10 simultaneously) through our VPN. Currently we use an IPCop firewall with roadwarrior connections. We have a separate client package for each computer. It seems to use a similar setup in pfSense we will need to create Users for every single one of them and then re export the client package.

      In order to simplify this in the future, what settings do we need to have a single certificate that can be put on multiple clients? Rather than have a single package for every client could we have one for each type of client (i.e. employees need complete VPN access, customers only need limited access, etc.).

      I'm not quite sure the best way to go about this so some help would be great. In the end we'll want our web server accessible by the VPN network and our local network but not allow access to the local network by the VPN network.

      1 Reply Last reply Reply Quote 0
      • I
        ieatfish
        last edited by

        For what we are wanting, I followed these instructions and it worked great: http://forum.pfsense.org/index.php/topic,38692.msg200040.html#msg200040

        Don't forget to allow multiple connections from the same certificate in the Server settings.

        1 Reply Last reply Reply Quote 0
        • I
          ieatfish
          last edited by

          When I do it this way, are individual IPs given to each client even though they are using the same certificate? Or are they all getting one internal ip (192.168.3.6 for example) and having to share it?

          1 Reply Last reply Reply Quote 0
          • Cry HavokC
            Cry Havok
            last edited by

            Of course, now if one person loses their laptop or any certificate is otherwise lost, you have to replace every single client… Probably not ideal ;)

            However, each client will get a different IP.

            1 Reply Last reply Reply Quote 0
            • L
              limecat
              last edited by

              Why not simply set up OpenVPN in "user auth" mode with a static key?  Isnt that what youre basically doing anyways?

              When I do that, i get a single export installer that works for multiple users.

              1 Reply Last reply Reply Quote 0
              • I
                ieatfish
                last edited by

                @limecat:

                Why not simply set up OpenVPN in "user auth" mode with a static key?  Isnt that what youre basically doing anyways?

                When I do that, i get a single export installer that works for multiple users.

                Hmm, that might be a better way to do it. What advantages/disadvantages are there between the two methods? These are remote systems with no active user so we can't type in a password each reboot.

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  SSL/TLS with no auth is best for that kind of setup. That way you can still revoke the certificate if something gets compromised.

                  You should still have one certificate per user/site.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • I
                    ieatfish
                    last edited by

                    Currently we have a bunch of 'satellite' systems that all serve the same purpose and don't have active users. It was looking to be a bit tedious (as we are constantly sending out new systems and such) to have to create a separate user in pfSense for our fluid usage of the network. However, as you have mentioned, if the certificate is compromised then anyone could have access to the network (which only allows access to one IP but that is beside the point) and we'd have to replace the certificate on all the systems.

                    Is there an easier way to create a user/certificate combination without having to go through so many steps every time? On IPCop, for example, you type in the hostname and one or two other things and it created the user and certificate and everything.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.