My script auth-user-pass-verify checks users credentails:
- if user using login and password - script check this creds via LDAP. This case may used without any certificate.
- if user does not send login and password - script check certificate and allow connection.
If I use option username-as-common-name, first case works correctry, but users with certificates (case 2) gets UNDEF identifier and openvpn server dont remember his ip addresses (saved to /var/log/openvpn/ipp.txt with UNDEF).
If I does not use option username-as-common-name, I can to see opposite picture: users in case 1 cannot to save his IP-addresses.
How can I influence to common_name in my script? I want to save IP addresses of my users in any cases...
My config is below:
server.conf
port 443
proto udp
dev tun
ca certs/ca.crt
cert certs/prd-ovpn-02.crt
key keys/prd-ovpn-02.key # This file should be kept secret
crl-verify certs/crl.pem
dh keys/dh.pem
topology subnet
mode server
tls-server
server a.a.b.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route a.a.a.a 255.255.0.0"
push "dhcp-option DNS a.a.1.1"
push "dhcp-option DNS a.a.2.1"
push "dhcp-option DOMAIN mydomain.local"
keepalive 10 120
tls-auth keys/ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
script-security 2
management 127.0.0.1 1197
tmp-dir /dev/shm
auth-user-pass-verify '/etc/openvpn/scripts/auth-user-pass-verify.py /var/log/openvpn/auth-user-pass-verify.log' via-file
verify-client-cert optional
auth-user-pass-optional
# username-as-common-name
up '/etc/openvpn/scripts/interface-up.py /var/log/openvpn/interface-up.log'
down '/etc/openvpn/scripts/interface-down.py /var/log/openvpn/interface-down.log'
client-connect '/etc/openvpn/scripts/client-connect.py /var/log/openvpn/client-connect.log'
client-disconnect '/etc/openvpn/scripts/client-disconnect.py /var/log/openvpn/client-disconnect.log'