OpenVPN Support Forum

OpenVPN should support X509 Certificate Policies in order to compartmentalize a Root CA.

Currently, the only way for a single organisation to control which OpenVPN installation a user can connect to is to use separate CAs (assuming that user has an account on both systems).

If an organisation has a registered IANA OID such as 1.3.6.1.4.1.32473 (Example OID), they could distribute sub-trees to various OpenVPN installations within their organisation. Each would run their own subordinate CA (using a common Root CA) but only issue certificates which contain a Certificate Policy OID allocated to them. The server could then (with an appropriate option) check that the client certificate supplied has the allocated Policy OID embedded.

For example 1.3.6.1.4.1.32473.1 (note the .1 suffix) could be allocated to a dept A's OpenVPN server and subordinate CA, while 1.3.6.1.4.1.32473.2 (note the .2 suffix) could be allocated to dept B's OpenVPN server and CA. A user with a certificate issued by dept A's subordinate CA would therefore not be able to log in to dept B's OpenVPN installation and vice versa.

I believe OpenSSL has the ability to check policy trees therefore this shouldn't be too difficult to implement (says the non-programmer!).

I can see that OpenVPN supports the 'auth-user-pass-verify' which would allow to use an script plugin to process an user authentication event. Is the client certificate available to this script?.

If this is so, this script could be configured to check for the presence of the required certificate policy ID.

Certificate policies can be validated with an script like the following:
And the following OpenVPN configuration:



Tested with With OpenVPN 2.4.4-2ubuntu1.3.

Easy-TLS already has a similar function called Custom Group.