Auth and User Certificates
-
User certificate doesn't seem to prevent other users from establishing a VPN connection.
pfSense user account A and user account B each have their own unique "User Certificate" (Created from the same CA).
Windows VPN clients can establish a VPN connection using either user account credentials even though they only have their own VPN certificate.
Thought the clients VPN certificate should be specific to each user account certificate.
What am I missing?
-
When establishing a connection, the OVPN server just checks whether the user certificate is signed from the CA that is selected in "Peer Certificate Authority" and whether the combination of user name and password are found in the database which is selected in "Backend for authentication", but not whether the certificate is assigned to the user name itself.
Though it make sense using unique certificate for each user. E.g. in case a user lost his notebook with his certificate stored on it, you only need to revoke this one and create a new one for this user.
-
There is an option in the OpenVPN server configuration to perform strict USER/CN matching which enforces the relationship. With that enabled, the CN of the cert must match the username given or the connection is rejected.
-
you need to select this option on the VPN server " when authenticating users, enforce a match between the common name of the client certificate and the username given at login."
the user A will only be able to log with his certificate
