A few questions about restricting access to OpenVPN server
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OpenVPN provides a server setting which prevents more than one simultaneous session from using the same credentials. (Everything in OpenVPN boils down to "the user's key." It knows nothing of system usernames, much less passwords.) The keys contain within their encrypted content a unique serial number, and the same number cannot be used twice at the same time.
Of course it goes without saying that you should never use PSKs = simple passwords." Every user or computer should be issued its own unique key, which you can if necessary selectively revoke.
Anyone who shares VPN key information should be subject to immediate employment termination. And they should be sternly warned of this on day one.
Also note that most software does not enable a "non-administrator user" to access the key information anyway: they are entitled to use the key, but they have no reason to know it. (Any more than they "need to know" what is actually encoded on the unique badge they use to get beyond the lobby of the building.)
If you further "password-protect" a key, you are actually encrypting it. So it must be successfully decrypted before it can then be used. But the security of the key rests only with "itself," encrypted or not. (And with the fact that it has not yet been revoked.) The key is "one of a kind," and the user cannot manufacture one for himself.
Give each user a unique key and a copy of the tls-auth certificate (which is common). The latter enables you to even try(!) to connect – completely shutting-down "unauthorized access attempts."
Hello,
Thank you so much for your reply.
So, the best way to prevent two people from logging in at the same time is to use username and password authentication.
Hello,
Thank you so much for your reply.
One of the reasons I hadn't noticed this was that when one user connects to the OpenVPN server and then the next user connects to the server with the same key, the OpenVPN Connect app stays connected.
I have two questions:
1- I used the following two commands to generate keys for clients:
In the first command, I see the following message:
Quote:
Common Name (eg: your user, host or server name) [client name]:
I just hit the enter key and the key was generated. I repeated the same thing for the second client and just changed the name of the client.
Now, two clients should be able to connect simultaneously. Am I right?
2- Are ca.key and ta.key the same for all clients?
One of the reasons I hadn't noticed this was that when one user connects to the OpenVPN server and then the next user connects to the server with the same key, the OpenVPN Connect app stays connected.
If this happens, then there is something wrong.
Quote:
Originally Posted by Jason.nix
I have two questions:
1- I used the following two commands to generate keys for clients:
You should only use nopass for the server's keys. Definitely not on client keys, unless you're setting up a permanent VPN between sites and the remote client is a headless server.
Quote:
Originally Posted by Jason.nix
Now, two clients should be able to connect simultaneously. Am I right?
Using different keys, yes.
Quote:
Originally Posted by Jason.nix
2- Are ca.key and ta.key the same for all clients?
No.
ca.key is the private key. This should NEVER be shared with anyone. It should only exist on the CA machine.
It probably wouldn't hurt to read the documentation to learn more about this. The questions you have seem to be quite fundamental and are all covered: https://community.openvpn.net/openvpn/wiki/HOWTO
You should only use nopass for the server's keys. Definitely not on client keys, unless you're setting up a permanent VPN between sites and the remote client is a headless server.
Using different keys, yes.
No.
ca.key is the private key. This should NEVER be shared with anyone. It should only exist on the CA machine.
It probably wouldn't hurt to read the documentation to learn more about this. The questions you have seem to be quite fundamental and are all covered: https://community.openvpn.net/openvpn/wiki/HOWTO
Hello,
Thanks again.
Quote:
If this happens, then there is something wrong.
1- Should an option be included in the server or client configuration files?
2- I guess nopass is just to increase security, if the key falls into someone's hands, then he\she need to know the username and password to use it.
3- If you want to create a file with the extension .ovpn for the client that will connect to your server, then you need to put the keys Ca.crt, Client.crt, Client.key and Ta.key in the client file. Am I wrong?
1- Should an option be included in the server or client configuration files?
By default, the server will disallow two connections using the same Common Name. If you want to enable multiple connections with the same Common Name (which is not a good idea), then you have to use the "duplicate-cn" directive in your configuration file.
Quote:
Originally Posted by Jason.nix
2- I guess nopass is just to increase security, if the key falls into someone's hands, then he\she need to know the username and password to use it.
Just the opposite. nopass leaves the key unencrypted, which means anyone can use it.
Quote:
Originally Posted by Jason.nix
3- If you want to create a file with the extension .ovpn for the client that will connect to your server, then you need to put the keys Ca.crt, Client.crt, Client.key and Ta.key in the client file. Am I wrong?
No, you're not wrong. Your understanding is correct. The "client.crt" and "client.key" parts are different for each user, and should have different names.
By default, the server will disallow two connections using the same Common Name. If you want to enable multiple connections with the same Common Name (which is not a good idea), then you have to use the "duplicate-cn" directive in your configuration file.
Just the opposite. nopass leaves the key unencrypted, which means anyone can use it.
No, you're not wrong. Your understanding is correct. The "client.crt" and "client.key" parts are different for each user, and should have different names.
Hi,
Thanks again.
I use the OpenVPN Connect app on Android and PC. When I connect to the server with the same key on two devices, the OpenVPN Connect app on the previous client does not disconnect, but it doesn't work either. Why?
By default, OpenVPN uses UDP. This allows it to operate without a connection.
When you "connect" to it, what you're actually doing is registering your IP address with the server. It then knows to accept packets from your IP address which are encrypted with the key you're using. If a user on a different IP address then "connects," with the same key it will deny access to packets from the original IP address. The original client device won't even know.
This is an over-simplification, and I'm more than happy to be corrected by someone who knows better.
You can check the logs in /etc/openvpn or /var/log/messages or /var/log/syslog for more details about the connections and what is going on.
By default, OpenVPN uses UDP. This allows it to operate without a connection.
When you "connect" to it, what you're actually doing is registering your IP address with the server. It then knows to accept packets from your IP address which are encrypted with the key you're using. If a user on a different IP address then "connects," with the same key it will deny access to packets from the original IP address. The original client device won't even know.
This is an over-simplification, and I'm more than happy to be corrected by someone who knows better.
You can check the logs in /etc/openvpn or /var/log/messages or /var/log/syslog for more details about the connections and what is going on.
Hello,
Thank you so much for your reply.
But in my opinion, it is better that the creators of OpenVPN designed it in such a way that the previous connection is interrupted so that the user realizes that someone is connected to the server with his\her keys.
How can I save the contents of the openvpn-status.log file? When someone connects to the server, his\her information is placed in this file, and when he\she leaves the server, his\her information is deleted!
Hello,
Thank you so much for your reply.
But in my opinion, it is better that the creators of OpenVPN designed it in such a way that the previous connection is interrupted so that the user realizes that someone is connected to the server with his\her keys.
no
the working session will work, another one cannot be opened with the same key. User will be informed using email/sms/whatever, but not by disconnecting.
no
the working session will work, another one cannot be opened with the same key. User will be informed using email/sms/whatever, but not by disconnecting.
Hello,
Thank you so much for your reply.
No idea about how can I save the contents of the openvpn-status.log file?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.