VPN question about usernames passwords

DarnellG

Regular Contributor
I have 2 asus routers, an AX88U at home and a AC5300 at the remote site, that are linked through a bidirectional site to site VPN link. I use this link to access an ip camera remotely. Both routers are using the latest Merlin firmware.

Everything works great because I only have one client logged in on the vpn server at a time using 'client' as the common name. I don't really want to go through the headaches of creating custom client certs so I decided for the 2 or 3 vpn clients I would use a custom server script 'username-as-common-name' to use the username as the common name.

This works for the default username but if I use any of the usernames and passwords that I created at the bottom of the 'VPN Server' tab the clients 'auth fail' to authorize.

Why don't these usernames and passwords work for me?

In the meantime I've started a second VPN server so that I can log into that one without disrupting the first one
 
Last edited:

eibgrad

Part of the Furniture
You don't create a custom script for the purposes of adding that directive (username-as-common-name), you simply add it to the custom config field of the OpenVPN server.
 

DarnellG

Regular Contributor
Thx for the response, Yes sorry for the confusion, that's what I meant to say. I just added that line to the custom config field. Adding this does force the server to use the username for the common name.

How do I get each client to have their own username and password? I tried enabling the 'Username / Password Only' setting but it does not seem to change anything. The vpn client only authenticates when I use the default username and password. It doesn't authenticate when the usernames/passwords that I created are used to login.
 
Last edited:

eibgrad

Part of the Furniture
Well now you've done something you hadn't mentioned previously.

By specifying Username/Password only, you've eliminated the client's cert completely. But I don't know if MCSO (Manage Client-Specific Options) is going to work w/o a client cert, even if you specify username-as-common-name. I never tried it that way before, but the directive's name certainly suggests there is still a client cert involved, but it's just known for MCSO purposes by the username of the connecting client.

IOW, don't depend solely on the username/password if you must depend on MCSO for site-to-site purposes as well.
 
Last edited:

DarnellG

Regular Contributor
Agreed, I only tried that 'Username/Password Only' setting to see if the usernames/passwords that I created would work but it didn't. I left that setting to 'no' so I am using client certs.

Still baffling as to how I can get the VPN clients to use separate usernames.
 

Attachments

  • Screenshot_20220713-145342_Samsung Internet.jpg
    Screenshot_20220713-145342_Samsung Internet.jpg
    33.9 KB · Views: 31

eibgrad

Part of the Furniture
Try adding the following directive to the OpenVPN server as well.

Code:
duplicate-cn

If it still doesn't work, I need to see your OpenVPN server page, and a dump of the config file.

Code:
cat /tmp/etc/openvpn/server1/config.ovpn
 

DarnellG

Regular Contributor
I tried your setting above with no luck. I appreciate your help. Attached is the server2 config. Server 2 is my testing server
 

Attachments

  • Screenshot_20220713-153316_JuiceSSH.jpg
    Screenshot_20220713-153316_JuiceSSH.jpg
    93.7 KB · Views: 32

eibgrad

Part of the Furniture
I need to see a screenshot of your OpenVPN server to see if somehow you messed it up. On the face of it, it would seem correct based solely on the dump of the config file, but I want to verify it visually in the GUI.

Also, I would try disabling all the MCSO stuff for the time being and just verify you can connect to the server with any and all usernames. I want to see if perhaps things go awry only once MCSO gets involved.
 

DarnellG

Regular Contributor
I'll try your suggestions later tonight when I have time in the meantime here are the general and advanced server 2 settings. If those are too blurry I'll get screenshots from my computer tonight
 

Attachments

  • Screenshot_20220713-155213_Samsung Internet.jpg
    Screenshot_20220713-155213_Samsung Internet.jpg
    47.5 KB · Views: 37
  • Screenshot_20220713-155143_Samsung Internet.jpg
    Screenshot_20220713-155143_Samsung Internet.jpg
    57.2 KB · Views: 35
Last edited:

DarnellG

Regular Contributor
I tried disabling Manage Client-Specific Options as you suggested unfortunately only the default username works.
 

elorimer

Very Senior Member
Look at the configuration files you exported for the other usernames and make sure the certificates are included. I think when you experimented with user only authentication you might have lost them. And you may find the second server solution works fine too.

You have two or three different things in play here, but you are going to need the MCSO in order for the bidirectional link to the remote camera to work. You want to end up with one VPN connection from the remote site, always on, and bidirectional (which means something specific for that connection), and then one or more vpn clients that connect occasionally but don't require anything specific. I followed @eibgrad's posts on this to the letter and it works for me, so I'm sure he'll suss it out for you. Do what he says. (Three: You have the bidirectional part, the authentication part, and the "default" user problem.)

But you might tear this down completely, set to defaults, and start over. First, user authentication on but not only, then set MCSO on, create the first user for the remote site, add the username-as-common-name directive, and get that working. Then add the second user, export that config file, make sure it has the certificates, and use that to connect the second user. Repeat as necessary. Last, create a custom connect file to exclude the router admin as a user.
 

eibgrad

Part of the Furniture
I tried disabling Manage Client-Specific Options as you suggested unfortunately only the default username works.

Well based on those last snapshots you posted, you did NOT disable MCSO. You simply removed the entries from the MCSO table. I want it OFF, entirely.

I'm suggesting this because we KNOW that the ordinary use of multiple usernames and passwords works. I'm thinking there's something else going on here once MCSO is enabled that breaks it. I just don't know what that is at the moment.
 
Last edited:

elorimer

Very Senior Member
Well based on those last snapshots you posted, you did NOT disable MCSO.
He posted those two hours before he then said he tried disabling MCSO.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top