VPN question about usernames passwords

[DarnellG]

I have 2 asus routers, an AX88U at home and a AC5300 at the remote site, that are linked through a bidirectional site to site VPN link. I use this link to access an ip camera remotely. Both routers are using the latest Merlin firmware.

Everything works great because I only have one client logged in on the vpn server at a time using 'client' as the common name. I don't really want to go through the headaches of creating custom client certs so I decided for the 2 or 3 vpn clients I would use a custom server script 'username-as-common-name' to use the username as the common name.

This works for the default username but if I use any of the usernames and passwords that I created at the bottom of the 'VPN Server' tab the clients 'auth fail' to authorize.

Why don't these usernames and passwords work for me?

In the meantime I've started a second VPN server so that I can log into that one without disrupting the first one

 

[eibgrad]

You don't create a custom script for the purposes of adding that directive (username-as-common-name), you simply add it to the custom config field of the OpenVPN server.

 

[DarnellG]

Thx for the response, Yes sorry for the confusion, that's what I meant to say. I just added that line to the custom config field. Adding this does force the server to use the username for the common name.

How do I get each client to have their own username and password? I tried enabling the 'Username / Password Only' setting but it does not seem to change anything. The vpn client only authenticates when I use the default username and password. It doesn't authenticate when the usernames/passwords that I created are used to login.

 

[eibgrad]

Well now you've done something you hadn't mentioned previously.

By specifying Username/Password only, you've eliminated the client's cert completely. But I don't know if MCSO (Manage Client-Specific Options) is going to work w/o a client cert, even if you specify username-as-common-name. I never tried it that way before, but the directive's name certainly suggests there is still a client cert involved, but it's just known for MCSO purposes by the username of the connecting client.

IOW, don't depend solely on the username/password if you must depend on MCSO for site-to-site purposes as well.

 

[DarnellG]

Agreed, I only tried that 'Username/Password Only' setting to see if the usernames/passwords that I created would work but it didn't. I left that setting to 'no' so I am using client certs.

Still baffling as to how I can get the VPN clients to use separate usernames.

 

[eibgrad]

Try adding the following directive to the OpenVPN server as well.

duplicate-cn

If it still doesn't work, I need to see your OpenVPN server page, and a dump of the config file.

cat /tmp/etc/openvpn/server1/config.ovpn

 

[DarnellG]

I tried your setting above with no luck. I appreciate your help. Attached is the server2 config. Server 2 is my testing server

 

[eibgrad]

I need to see a screenshot of your OpenVPN server to see if somehow you messed it up. On the face of it, it would seem correct based solely on the dump of the config file, but I want to verify it visually in the GUI.

Also, I would try disabling all the MCSO stuff for the time being and just verify you can connect to the server with any and all usernames. I want to see if perhaps things go awry only once MCSO gets involved.

 

[DarnellG]

I'll try your suggestions later tonight when I have time in the meantime here are the general and advanced server 2 settings. If those are too blurry I'll get screenshots from my computer tonight

 

[DarnellG]

I tried disabling Manage Client-Specific Options as you suggested unfortunately only the default username works.

 

[elorimer]

Look at the configuration files you exported for the other usernames and make sure the certificates are included. I think when you experimented with user only authentication you might have lost them. And you may find the second server solution works fine too.

You have two or three different things in play here, but you are going to need the MCSO in order for the bidirectional link to the remote camera to work. You want to end up with one VPN connection from the remote site, always on, and bidirectional (which means something specific for that connection), and then one or more vpn clients that connect occasionally but don't require anything specific. I followed @eibgrad's posts on this to the letter and it works for me, so I'm sure he'll suss it out for you. Do what he says. (Three: You have the bidirectional part, the authentication part, and the "default" user problem.)

But you might tear this down completely, set to defaults, and start over. First, user authentication on but not only, then set MCSO on, create the first user for the remote site, add the username-as-common-name directive, and get that working. Then add the second user, export that config file, make sure it has the certificates, and use that to connect the second user. Repeat as necessary. Last, create a custom connect file to exclude the router admin as a user.

 

[eibgrad]

I tried disabling Manage Client-Specific Options as you suggested unfortunately only the default username works.

Well based on those last snapshots you posted, you did NOT disable MCSO. You simply removed the entries from the MCSO table. I want it OFF, entirely.

I'm suggesting this because we KNOW that the ordinary use of multiple usernames and passwords works. I'm thinking there's something else going on here once MCSO is enabled that breaks it. I just don't know what that is at the moment.

 

[elorimer]

Well based on those last snapshots you posted, you did NOT disable MCSO.

He posted those two hours before he then said he tried disabling MCSO.