[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: [Openvpn-devel] Problem with username-as-common-name when using concurrent sessions

  • Subject: [Openvpn-users] Re: [Openvpn-devel] Problem with username-as-common-name when using concurrent sessions
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Wed, 19 Oct 2005 08:31:41 -0600 (MDT)

On Wed, 19 Oct 2005, Michael Renner wrote:

> Hi,
> First - thanks for OpenVPN, this is by far one of the most hassle-free
> opensource VPN solutions out there.
> But there seems to be a problem (or undocumented behaviour?) when using
> username-as-common-name in combination with concurrent sessions with identical
> usernames. Currently if there's a second session connecting with the same
> username as an already active session, the active sessions gets "overwritten"
> with the new one, causing the former to timeout (and reconnect). Continue ad
> nauseam. This behaviour goes away when you disable username-as-common-name.
> Is this intended? (I don't know openvpns behaviour when using identical
> certificates when doing certificate-based authentication).
> Either way, this cost me quite a headache ;), and if it's not going to be
> changed openvpn should at least throw a log message when active connections get
> "reused".

I'm moving this to the users list.  The developers list is only for 
talking about OpenVPN development, such as source code and patches.

You need to use the "duplicate-cn" option if you want to allow multiple 
connected clients to use the same common name at the same time.  Since you 
are mapping the username to the common name with 
"username-as-common-name", then you must tell OpenVPN via "duplicate-cn" 
that multiple connected clients may use the same username.

The reason why the sessions are "overwritten" is because when you know 
that the common names (or usernames) of clients are unique, and you don't 
overwrite an old session when a new session is initiated, then you could 
essentially lock out a user by having a stale session remain active.

Having said that, I can see that this could be a gotcha if you don't know
about the duplicate-cn option.  I'll try to add a log message warning when
a new connection usurps an old one with the same common name.


Openvpn-users mailing list