Page 1 of 1
Different users logging with the same cert file
Posted: Tue Dec 04, 2012 9:33 pm
by darlanb
Hi all,
is there a way to deny different user to log with openvpn with a specific client certificate?
Because on my tests, i´ve generated a client cert that i can log with "user1-pass1" or "user2-pass2".
Thanks.
Re: Different users logging with the same cert file
Posted: Wed Dec 05, 2012 4:48 pm
by maikcat
hi there,
if you use certificates yes you can block a client with a number of ways....
please post your configs and i will help you out
Michael.
Re: Different users logging with the same cert file
Posted: Fri Dec 07, 2012 1:48 pm
by darlanb
this is my /etc/openvpn/server.conf
local 10.1.1.2 #- your_server_ip goes here
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
#client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 5 30
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
Re: Different users logging with the same cert file
Posted: Fri Dec 07, 2012 7:56 pm
by maikcat
hi there,
to lock out a client you can do it by:
a) creating crl list and revoke his cert
or by using ccd files you can:
b) add disable directive inside his ccd file
-or-
c) use ccd-exclusive directive inside server config and make sure
that there isnt ccd file for this client
the b & c can easily undone, in a you must issue a new cert
Michael.