Separating multi-client clients

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Tcan
OpenVpn Newbie
Posts: 5
Joined: Fri May 15, 2020 8:34 pm

Separating multi-client clients

Post by Tcan » Mon Apr 17, 2023 6:15 pm

Sorry if this is double posting but since here is a Configuration specific topic I should probably post here.

Trying to get multi-client working. Have used OVPN 1-to-1 many times. I even have crude multiple clients getting to a windows server to each have their own server session by adding enough tunnel adapters so one for each, and using separate port and forwarding (to the same server) for each. Trying to evolve to one adapter and the multi-client "mode server". Clients should all use the same port & forwarding then, right? I've tried just putting user2.ovpn, user2.crt, user2.key all in the config-auto folder with the user1 stuff. Only difference is (besides name references) is user1.ovpn says "server 10.8.0.0 255.255.255.0" and user2.ovpn says "server 10.9.0.0 255.255.255.0". Doesn't work. What dumb simple thing am I missing?

Rather than flooding this with a ton of config file stuff I'm looking for general change in approach with multi-client that I'm missing. May be able to figure it out from there. Can post any config file stuff that's needed.

Thanks.
Top
Tcan
OpenVpn Newbie
Posts: 5
Joined: Fri May 15, 2020 8:34 pm

Re: Separating multi-client clients

Post by Tcan » Wed Apr 19, 2023 12:15 am

I solved my issue but the reason I was confused raises an issue I would take to be a security issue. For all of the 1-to-1 setups of OVPN I've done I created a JoeSmith-server crt & key and a JoeSmith-client crt & key. I had assumed they were related, that no one but JoeSmith-client could connect to JoeSmith-server, unless maybe other users were somehow made known to JoeSmith-server. Now trying multi-client connections for the first time I was confused how the server would know who else should be able to connect, not realizing any client setup from the same crt authority would be allowed. That's what to me seems unsafe as a default. Maybe some way to tell the server to accept anyone from the CA if that's desired, but not as default. And using CRL.PEM is no where near sufficient because it's a negative list. I would think a positive list, only those on allowed list, by default, makes sense for safety. I can get that now using a client config folder and ccd-exclusive and putting files for those allowed in it. But even that I found by accident as it's not really presented as a way to have an allowed list, and I'm amazed it's not the default.
Top
Post Reply

Return to “Configuration”