[HOWTO] internal routing with no client cert auth

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
virgo
OpenVpn Newbie
Posts: 2
Joined: Mon May 16, 2022 9:48 am

[HOWTO] internal routing with no client cert auth

Post by virgo » Mon May 16, 2022 9:56 am

Hi all

I'm trying to include mikrotik subnet (192.168.88.0/24) into my OpenVPN. I'm able to connect mikrotik device to the VPN, however it does not support TLS auth yet, then I'm authenticating with username/password using radiusplugin.
I really would like to have mikrotik subnet reachable from everywhere. I found the documentation on the OpenVPN site and it says I need to perform internal routing based on the client common name. Considering I can't use client certificate, I found the username-as-common-name feature that seems to fit my requirements however it does not work. Tracerouting the IP first hop is the VPN server, second hop is nothing. (I assume iroute did not work, right?)
Any idea on how can I workaround this?

following my config:

Code: Select all

push "route 192.168.1.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
route 192.168.88.0 255.255.255.0
client-to-client
push "route 192.168.88.0 255.255.255.0"

dev tun

management /var/run/openvpn.sock unix

server 10.8.0.0 255.255.255.0


dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh3072.pem
ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key

max-clients 10

client-config-dir /PATH_TO_CCD/ccd

persist-tun
persist-key

verb 3

log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /PATH_TO_PLUGIN/radiusplugin.so /PATH_TO_PLUGIN/radiusplugin.cnf
client-cert-not-required
username-as-common-name
duplicate-cn

status /tmp/ovpn_status_2_result 30
status-version 2
proto tcp6-server
mssfix 1450
port 1194
cipher AES-256-CBC
auth SHA1

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: [HOWTO] internal routing with no client cert auth

Post by TinCanTech » Mon May 16, 2022 10:38 am

See --ccd-exclusive in the manual.

Also, you don't want --duplicate-cn.

virgo
OpenVpn Newbie
Posts: 2
Joined: Mon May 16, 2022 9:48 am

Re: [HOWTO] internal routing with no client cert auth

Post by virgo » Mon May 16, 2022 11:45 am

tnx it works fine

I would still keep --duplicate-cn to allow normal users to share the id (I created an empty file in the ccd folder for them), however I must be sure all the mikrotik users will be different. Right?

Post Reply