Zentyal Forum, Linux Small Business Server

Zentyal Server => Other modules => Topic started by: hjt on November 04, 2019, 12:47:48 pm

Title: [SOLVED] OpenVPN authorisation by common name
Post by: hjt on November 04, 2019, 12:47:48 pm
I have a working VPN server, I can connect and ping the network.

In the server settings of the (Open)VPN there is an option "Client autorisation by common name"
The description says : "If enabled, only certificates whos common name begins with the selected value will be able to connect"

My server certificate common name is "vpn-client" (confusing, but to indicate this server is for mobile clients, as opposed to lan2lan)
My client certificates common name is "vpn-client.henkjan" and I also tried "vpn-client henkjan"
The client autorisation by common name is set to "vpn-client"

In my opinion the command name of the client starts with " vpn-client", so I expected it to work.
The connection works when I set "Client authorisation by common name" to disabled.
Enabling the setting gives in the VPN log file :

VERIFY X509NAME ERROR: C=NL, ST=Undefined, L=Town, O=Company, CN=vpn-client henkjan, must be vpn-client

So it appears to be checking the complete common name, as opposed to only the start.

Am I missing something?
Title: Re: OpenVPN authorisation by common name
Post by: hjt on November 04, 2019, 02:16:01 pm
OK, this is what I found out so far:

in the vpn config file ( /etc/openvpn/client.d/client.conf ) there is the line:

verify-x509-name vpn-client name

To check only the start of the common name this should be changed in:

verify-x509-name vpn-client name-prefix

After a restart of the VPN service the config file is overwritten again, so I have to find out how to make this persistent. Search direction is probably mason-files, but I have no experience in this area so far.
Title: Re: OpenVPN authorisation by common name
Post by: hjt on November 04, 2019, 02:35:29 pm
To finalise this issue, in my opinion this is a bug, as Zentyal does not act as advertised on the web-interface.

To solve the problem I had to make an adjustment to the stub/mason file:

sudo mkdir /etc/zentyal/stubs
sudo mkdir /etc/zentyal/stubs/openvpn
sudo cp /usr/share/zentyal/stubs/openvpn/openvpn.conf.mas /etc/zentyal/stubs/openvpn/
sudo nano /etc/zentyal/stubs/openvpn/openvpn.conf.mas

then change the line
verify-x509-name <% $tlsRemote %> name
into:
verify-x509-name <% $tlsRemote %> name-prefix

After this restart the VPN service from the dashboard, and things are good to go.

[The reason why behind this]

This way I can make seperate certificates for different users, preventing them from connecting to other OpenVPN server instances that are running on my server.

So I have two OpenVPN servers:

Then I create certificates for the users:

vpn-client.user1
vpn-client.user2
vpn-client.user3

and

vpn-lan2lan.remotelan1
vpn-lan2lan.remotelan2

Now I can enforce that vpn-client users cannot connect to the vpn-lan2lan service, and still revoke individual certificates.