Page 1 of 1

UNDEF clients with different auth methods

Posted: Wed Oct 07, 2020 8:18 am
by Yacudzer
My script auth-user-pass-verify checks users credentails:
  1. if user using login and password - script check this creds via LDAP. This case may used without any certificate.
  2. if user does not send login and password - script check certificate and allow connection.
Troubles with common name of my users.
If I use option username-as-common-name, first case works correctry, but users with certificates (case 2) gets UNDEF identifier and openvpn server dont remember his ip addresses (saved to /var/log/openvpn/ipp.txt with UNDEF).
If I does not use option username-as-common-name, I can to see opposite picture: users in case 1 cannot to save his IP-addresses.
How can I influence to common_name in my script? I want to save IP addresses of my users in any cases...

My config is below:

port 443
proto udp
dev tun
ca certs/ca.crt
cert certs/prd-ovpn-02.crt
key keys/prd-ovpn-02.key # This file should be kept secret
crl-verify certs/crl.pem
dh keys/dh.pem
topology subnet
mode server
server a.a.b.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route a.a.a.a"
push "dhcp-option DNS a.a.1.1"
push "dhcp-option DNS a.a.2.1"
push "dhcp-option DOMAIN mydomain.local"
keepalive 10 120
tls-auth keys/ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
script-security 2
management 1197
tmp-dir /dev/shm
auth-user-pass-verify '/etc/openvpn/scripts/ /var/log/openvpn/auth-user-pass-verify.log' via-file
verify-client-cert optional
# username-as-common-name
up '/etc/openvpn/scripts/ /var/log/openvpn/interface-up.log'
down '/etc/openvpn/scripts/ /var/log/openvpn/interface-down.log'
client-connect '/etc/openvpn/scripts/ /var/log/openvpn/client-connect.log'
client-disconnect '/etc/openvpn/scripts/ /var/log/openvpn/client-disconnect.log'