VPN Finding and suggestion

[alvinquah]

Hi,

after trying out the vpn function, i am happy to see that it's working well as expected. There is an issue though. I know that ebox certificates bundle download will only allow one VPN connection at a time. That means if i use the same certificate bundle download on another machine to connect via VPN, the original VPN connection will be disconnected and the new VPN connection will be established. I know this can be overcome by using different certificate bundle download. But my question is what happens if i have, say a hundred VPN connection that are needed, I will not wish to create hundred certificates!

I have google online and found out that a same ebox certificates bundle download will be enough to provide mulitple VPN connection by commenting off a parameter "duplicate-cn" on the openvpn config file. But i am not sure where is this parameter found at?

------------------------------------------------------------------------------------------

Suggestion:

I have a VPN suggestion to make as well. Is it possible to authenticate the user when they have established an openvpn connection successfully? For eg, when they have connected successfully to the ebox server and the tap interface is showing the ip address, another login prompt will appear to authentic the user before they are able to use ebox resources? This is like another level of security and to prevent abuse of vpn certificates.

Thanks
Alvin Quah

[sixstone]

I have google online and found out that a same ebox certificates bundle download will be enough to provide mulitple VPN connection by commenting off a parameter "duplicate-cn" on the openvpn config file. But i am not sure where is this parameter found at?

You may change the configuration for the VPN server in /usr/share/ebox/stubs/openvpn/openvpn.conf.mas. Take into account that any change in these templates will be overridden during an upgrade.

Suggestion:

I have a VPN suggestion to make as well. Is it possible to authenticate the user when they have established an openvpn connection successfully? For eg, when they have connected successfully to the ebox server and the tap interface is showing the ip address, another login prompt will appear to authentic the user before they are able to use ebox resources? This is like another level of security and to prevent abuse of vpn certificates. 

The main thing is to provide secure authentication using public key infrastructure. Its security is based on keeping the private key actually private. That is, use a single public/private key per client must remain the connections safe and you're sure that the user with that key is the authenticated user. This implies not to use shared secrets (passwords) and things like that which are more likely to be exploited. So I'd suggest not to share the same bundle for all your clients since this breaks any possibility to check who is accessing to your resources.

Best regards and thanks very much for your comments and suggestions,

[soylor]

I've tested the parameter and works.

I can use the same config bundle for multiple connections.

A checkbox for doing that should be an apreciated feature.

[Josep]

I have been bitten by this same issue recently.
The way I solved it was to create the file /etc/ebox/hooks/openvpn.postsetconf and add the following contents:

Code: [Select]

#!/bin/sh
host=`hostname -s`
host="/etc/openvpn/$host.conf"
echo "# Added by /etc/ebox/hooks/openvpn.postsetconf" >> $host
echo 'push "dhcp-option DOMAIN <replace with your domain>"' >> $host
echo 'push "dhcp-option DNS <replace with your DNS IP>"' >> $host
echo '#   Allow multiple clients with the same Certificate' >> $host
echo 'duplicate-cn' >> $host
Then you need to do some change to the VPN's Web GUI to force it to be written to your host's vpn server config.