Opened 4 years ago
Closed 4 years ago
#1284 closed User question (notabug)
Openvpn client using Subject Alt Names
Reported by: | krishnamurthydv | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.4.7 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
We are using openvpn 2.4.7 version (same on client and server) and we have following requirement.
- Multiple Clients have to connect to openvpn server using same Certificate
- Each client should use a unique name from "X509v3 Subject Alternative Name" in the certificate. Basically each client should connect to server using a unique name instead of default common name.
How can this be specified in the client configuration file and passed to the server? How to achieve this? Can you please clarify?
PS: This is similar to using "leftid" in strongswan IKE.
Change History (4)
comment:2 Changed 4 years ago by
Thanks for quick response. For a given client we have a requirement of establishing multiple tunnels to a server from different physical interfaces. So we wanted to use same cert and use SAN (we are doing this in IKE using leftid that is exchanged with the server) - basically to identify the port (at server) on which the request was sent from client.
comment:3 Changed 4 years ago by
There is no such mechanism in OpenVPN today - "leftid" compares more to "same cert, different username" in OpenVPN (which would be one possible way to tackle this).
comment:4 Changed 4 years ago by
Resolution: | → notabug |
---|---|
Status: | new → closed |
I'm not sure I understand the requirements - so you are using the same certificate, which has like 10 different SANs in, and each client should "send" a different alt name?
This is impossible. There is only one certificate, and the client will send the whole certificate - and there is no signalling "I am really client # 7".
Either use username+password, or individual certificates.