Hi all,
is there a way to deny different user to log with openvpn with a specific client certificate?
Because on my tests, i´ve generated a client cert that i can log with "user1-pass1" or "user2-pass2".
Thanks.
Different users logging with the same cert file
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
darlanb
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Dec 04, 2012 2:00 pm
-
maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
- Contact:
Re: Different users logging with the same cert file
hi there,
if you use certificates yes you can block a client with a number of ways....
please post your configs and i will help you out
Michael.
if you use certificates yes you can block a client with a number of ways....
please post your configs and i will help you out
Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
-
darlanb
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Dec 04, 2012 2:00 pm
Re: Different users logging with the same cert file
this is my /etc/openvpn/server.conf
local 10.1.1.2 #- your_server_ip goes here
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
#client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 5 30
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
local 10.1.1.2 #- your_server_ip goes here
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
#client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 5 30
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
-
maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
- Contact:
Re: Different users logging with the same cert file
hi there,
to lock out a client you can do it by:
a) creating crl list and revoke his cert
or by using ccd files you can:
b) add disable directive inside his ccd file
-or-
c) use ccd-exclusive directive inside server config and make sure
that there isnt ccd file for this client
the b & c can easily undone, in a you must issue a new cert
Michael.
to lock out a client you can do it by:
a) creating crl list and revoke his cert
or by using ccd files you can:
b) add disable directive inside his ccd file
-or-
c) use ccd-exclusive directive inside server config and make sure
that there isnt ccd file for this client
the b & c can easily undone, in a you must issue a new cert
Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"