Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Auth and User Certificates

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 4 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NOYB
      last edited by

      User certificate doesn't seem to prevent other users from establishing a VPN connection.

      pfSense user account A and user account B each have their own unique "User Certificate" (Created from the same CA).

      Windows VPN clients can establish a VPN connection using either user account credentials even though they only have their own VPN certificate.

      Thought the clients VPN certificate should be specific to each user account certificate.
      What am I missing?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        When establishing a connection, the OVPN server just checks whether the user certificate is signed from the CA that is selected in "Peer Certificate Authority" and whether the combination of user name and password are found in the database which is selected in "Backend for authentication", but not whether the certificate is assigned to the user name itself.

        Though it make sense using unique certificate for each user. E.g. in case a user lost his notebook with his certificate stored on it, you only need to revoke this one and create a new one for this user.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          There is an option in the OpenVPN server configuration to perform strict USER/CN matching which enforces the relationship. With that enabled, the CN of the cert must match the username given or the connection is rejected.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • J
            Jamerson
            last edited by

            you need to select this option on the VPN server " when authenticating users, enforce a match between the common name of the client certificate and the username given at login."

            the user A will only be able to log with his certificate

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.