Menu
What's new
By:
Filters Better Search

Max Length Common Name (CN) for OpenVPN Allowed Clients

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

maestr0

maestr0

Occasional Visitor
Hi,

Currently I'm working on limiting the allowed IP-addresses for logged on OpenVPN clients. I'm doing this via the OpenVPN Server configuration by activating the client-specific options and then configured the Subnet/Mask for the relevant client. The common name in the used certificates have a length of 40 characters, but it the GUI only a max number of 25 characters can be given as input. Have found the following remark on a search: RFC3280 says the maximum length of the common name should be 64. Technically from a CN point of view there should therefore not be an issue with my length of 40 characters. Is it therefore just the input field, which is preventing to use this CN of 40 characters (and can it be extended in that case)? Is there an option to change the config via SSH, so the long CN can be included in the config that way?

1620054229099.png


This is on an RT-AC88U with the most recent 386.2_4 firmware.

Thanks a lot in advance for any assistence!
 
Last edited:
Just to be clear, the subnet/mask fields of the Allowed Clients section does NOT limit the allowed IPs for logged on OpenVPN clients. It's merely informational. It tells the OpenVPN server which network(s) lie behind that specific OpenVPN client, and therefore how to route to those networks when referenced by clients on the server side (i.e., site-to-site).

With that understood ....

Not sure why it's limited to 25 chars. Out of curiosity, I checked out one of my FreshTomato routers, and it's limited to 15 chars! I believe these are just arbitrary limits placed on the GUI.

Regardless, you can always manage client-specific options manually. The GUI is just a convenience. In fact, beyond the input limit of the CN, the GUI limits you to implicitly creating iroute directives based on the specified subnet/mask (which imo, should be optional), when in fact you could specify all kinds of client-specific options managing your own CCD files (e.g., assignment of a specific IP on the tunnel).

To manage your own CCD files, you need to specify your own CCD directory in custom config ...

Code: 
client-config-dir /jffs/ccd

… and create files in that directory based on the CN w/ the desired directives.

If you want to limit access *only* to those specific OpenVPN clients, you can add the following directive to custom config as well.

Code: 
ccd-exclusive

Unlike the GUI, it could just be an empty file for the purposes of verifying CN-based authentication. But if you wanted to mimic the GUI in terms of subnet/mask, you could add an appropriate iroute directive to the CCD file ...

Code: 
iroute 192.168.10.0 255.255.255.0

… and a corresponding route directive in custom config.

Code: 
route 192.168.10.0 255.255.255.0

But again, the *only* purpose of the iroute/route directives is for site-to-site, so clients on the *server* side know how to route to those networks behind the various OpenVPN clients. If you don't have that need, the iroute/route directives are unnecessary.
 
Thanks for the prompt and detailled info. Will have to read up on this topic :).
Do I understand correctly there is no option to limit the target hosts for an OpenVPN client solely based on OpenVPN server configuration?
 
maestr0 said:
Thanks for the prompt and detailled info. Will have to read up on this topic :).
Do I understand correctly there is no option to limit the target hosts for an OpenVPN client solely based on OpenVPN server configuration?
Click to expand...

You *can* limit which OpenVPN clients are allowed to connect based on their CN. When using the GUI, you enable the "Allow only specified clients" option. Then *only* those OpenVPN clients listed, based on their CN, are allowed to connect.

Of course, whether that's really necessary is questionable if you're already using username/password. But that's up to you.

However, another one of the *quirks* of using the GUI is that it requires you to also specify the subnet/mask fields, under the assumption you're using that section for site-to-site configuration. It uses that information to create iroute/route directives for that particular OpenVPN client. But from the perspective of the OpenVPN server, that's NOT a requirement. You could have *empty* CCD files that are only for the purposes of identifying which OpenVPN clients are allowed to connect based on their CN. And that requires adding the "ccd-exclusive" directive to custom config.
 
Thanks again and sorry, apparently I was not clear in what I'm trying to achieve :rolleyes:.

My router is in the subnet 192.168.3.0/24. I want certain clients (based on the CN) only to be able to access say 192.168.3.100. All other hosts in 192.16.8.3.0/24 should be off limits.

I guess such a config (if at all possible) should be part of the config-file /jffs/ccd/<CN>?

EDIT: sorry, please ignore, will read up on this one first https://openvpn.net/community-resou...ing-client-specific-rules-and-access-policies.
 
Restricting access based on IP address is a function of the firewall, but the firewall knows *nothing* about CNs. In order to achieve what you want, you would have to assign specific IP addresses on the tunnel to specific OpenVPN clients through their CCD file to uniquely identify them by that IP, then create firewall rules accordingly.

CCD file for CN=xyz
Code: 
ifconfig-push 10.8.0.2 255.255.255.0

Then in the firewall ….

Code: 
iptables -I FORWARD -s 10.8.0.2 ! -d 192.168.3.100 -j REJECT

If you have multiple destination IPs you want to allow access for …

Code: 
iptables -I FORWARD -s 10.8.0.2 -j REJECT
iptables -I FORWARD -s 10.8.0.2 -d 192.168.3.100 -j ACCEPT
iptables -I FORWARD -s 10.8.0.2 -d 192.168.3.200 -j ACCEPT

This is a good example of how using the GUI to manage client-specific options comes up short, and why you may need to manage it yourself in certain circumstances.
 
Last edited:
Thanks! With the information you supplied (even in various threads on the forum :)) I got it to work!

For documentation purposes:

1620067856656.png


1620068410425.png


1620067886083.png



3 vpn clients (client2-4) getting limited access to just 192.168.3.22 (client1 has a custom config, but is not limited via iptables to specific hosts).

1620067829008.png


In vpnserver2-down the rules are deleted again via iptables (-D instead of -I)

Thanks again. Appreciated!
 
Last edited:
I increased the max field length to 64 chars.
 
You must log in or register to reply here.

Similar threads

P
Connect OpenVPN server with Client networks
Replies
3
Views
613
L&LD
L&LD
J
pros and cons for the two common DNS setups for a local adblocker - adguard home
2
Replies
25
Views
2K
Tech9
Tech9
M
OpenVPN / site to site with special security/routing constraints
Replies
7
Views
329
elorimer
E
Wishmaster1965
Solved OpenVPN Server Issue
Replies
5
Views
685
Wishmaster1965
Wishmaster1965
J
Solved OpenVPN clients can't resolve custom domains defined in dnsmasq config
Replies
2
Views
613
jkbach
J
Similar threads
Thread starter Title Forum Replies Date
M For AX68U and AX86S Merlin users: openvpn server - max user qty? Asuswrt-Merlin 1
P dnsmasq: Maximum number of concurrent DNS queries reached (max: 150) Asuswrt-Merlin 5
W RT-AX86U wifi capping out 300mb below max speed Asuswrt-Merlin 31
J pros and cons for the two common DNS setups for a local adblocker - adguard home Asuswrt-Merlin 25

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 845 (members: 13, guests: 832)
Top