Incorrect instructions on OpenVPN: Client Specific Override page
-
2.2-ALPHA (amd64)
built on Tue Sep 09 10:49:11 CDT 2014pfSense enables a setting called "username-as-common-name" in the OpenVPN server config file by default. That settings means that, instead of identifying incoming clients by their certificate's common name, the clients are identified by their pfSense username. The problem is that the text on the "OpenVPN: Client Specific Override page" clearly says that we should be typing the X.509 common name, which is incorrect.
If we added a checkbox to the OpenVPN server page to control that option, we should warn the user that they need to go back through all the existing Client Overrides and make sure they are using the correct value in that affected field.
Reference thread: https://forum.pfsense.org/index.php?topic=84505.0
-
That's correct for every recommended circumstance. The username and CN should be the same. Most of the scenarios where that's used don't use user auth (most commonly for site to site VPNs iroutes), and the ones that do should have username==CN. JimP explained in the thread you linked.
-
I'm not trying to be annoying, but if you really like having that option enabled by default, it still seems safest to change the text to say "username" instead of "X.509 common name". I like things to be easy for noobs, since I am one. :)