how to get more than one openvpn connection at a time with certs and user/pass

[lgkahn]

i seem to only be able to get one open vpn connection at a time no matter which cert/key pair is used in the connection profile.

in other routers each key would connect as a differnt user/ip

so i then tried turning on username/password on top of the cert and i can create users and get it to connect but again whatever the last user/client connects overrides the others.. and i get only 1 connection at a time..

i DONT want to enable use user/password only as that is not secure to leave a open vpn server configured that way.

any ideas?

thanks

 

[lgkahn]

found solution thanks to this forum add

add duplicate-cn under advanced custom options on the server... thanks

 

[elorimer]

That's one way but maybe not the best way. Not much point in generating in multiple certs if they aren't unique, and I'm guessing you are generating certs with the same cn. So you can have more than one connection but no way to differentiate them.

If you are managing a bunch of users in a work environment, and may fire them or see them quit, then generate unique certs. When they leave, you can delete the cert and leave others intact, with no loss of security. In the meantime, you can differentiate each user and set up their access individually.

If you are managing your home environment and access your server through different devices, you can use the same cert and add user-as-common-name, use user/password on top of the cert, and differentiate them based on user name. In the work environment that isn't as good a solution, since when you fire/they leave the cert is out there and your protection is just the user/password. For most home users I think this is easier.

 

[DocUmibozu]

any ideas?

thanks

with duplicate-cn you can't push routes to the clients and so you can't have a site to multisite tunnel.
Example: you have lan A with server, lan B with client and lan C with client, with duplicate-cn you can't make lan B see lan C neither lan C and lan B see lan A.
Easy solution: username/password and tls-crypt key to enforce the connection.
Long and tedious solution (with a Asus router): make the certs.

 

[lgkahn]

Untrue I have tested in and with client to client enabled I can see each other

 

[DocUmibozu]

Untrue I have tested in and with client to client enabled I can see each other

With one server and two clients?
Can you post your config? I've never been able to do that..

 

[lgkahn]

Yea . That is what the.advanced client allow to see each.other option.does. but you have to.use the temp vpn I'd.to are each other.ie 10.9.0.2 and 10.9.0.3 can see each other . You still.want to see the config? Server or client?

 

[DocUmibozu]

Yea . That is what the.advanced client allow to see each.other option.does. but you have to.use the temp vpn I'd.to are each other.ie 10.9.0.2 and 10.9.0.3 can see each other . You still.want to see the config? Server or client?

10.9.0.0/24 Is the tunnel I suppose.
What are the subnets in server and clients?

 

[elorimer]

This is, I think, what most people do with Server A router and Client B router and Client C router:

1. Make sure Server A has a public IP. Set client use to "Both" (I haven't tried it with "LAN" or "Internet", so I'm not sure). Generate a Server A configuration: one cert/key pair. The CN for that is going to be "client".
2. Create a user/password for Client B and another for Client C. Be sure the two LANs are different.
3. Put username-as-common-name in the configuration box.
4. Set "manage client specific options" on, and "allow client to client"
5. In the "allowed client" table, add the user for Client B and its LAN subnet, and the user for Client C and its subnet. "Push" is off.
6. Make sure individual devices on Client B's LAN and Client C's LAN are allowing A and C addresses, and A and B addresses, respectively, through their firewalls.


1 allows devices on Client B router and Client C router's respective LAN to see devices on Server A's LAN. It also changes the default gateway to the server. 2 and 3 allow the server to differentiate between Client B and CLient C router. 4 and 5 means that when Client B connects, devices on Server A's net can see devices on Client B, because there is now a route to Client B's LAN. Same for Client C. But also devices on Client B's LAN have a route to Client C's LAN and vice versa. Because the clients are disambiguated, you are giving Client B a route to its own laN. 6 is a silent killer often overlooked.

 

[elorimer]

can't make lan B see lan C neither lan C and lan B see lan A.

Client C and Client B can see server A LAN if set to "LAN" or "Both": That gives them a route to the server LAN.

I'd.to are each other.ie 10.9.0.2 and 10.9.0.3 can see each other

Those are the tunnel endpoints on the server. The problem is reaching the LAN subnets on the other side of the tunnel and knowing which tunnel to use for them.