Add additional client to openVPN on OpenWrt

Hi, I installed OpenVPN server on my router that is running Openwrt some time ago.
It works perfectly for the single laptop1 that I set up to connect when I installed the server.
I now want to add another laptop2 to connect - if I just use the same ovpn file it works, but will only let me connect if the first laptop is not already connected
Could someone guide me on how to set up a new client on both the laptop2 and on the openvpn server on openwrt?
Thanks in advance!

The previous instructions do not work?

What issues are you having with the previous instructions?

Do you need a link?

Correct, that's the point of encryption and security. I'm only familiar with AS; but there's a setting there to allow multiple connections. I'm not sure about the basic package in OpenWrt, though.

I spent some time looking but I can’t find the previous instructions and the instructions I did find aren’t ver clear.
I want to make sure I don’t break the connection for laptop1 !


1 Like

Create a separate client certificate for the additional client. This certificate must have a different CN but be signed by the same CA certificate.

There is a server config setting to allow multiple clients to reuse the same certificate but that is less secure and it prevents setting up options that vary with different clients.

1 Like

Thanks mk24
Do you know where I can find instructions on how to create the client certificate and I guess I need to register on the server?

I guess you're using easy-rsa which I'm not familiar with.

Individual clients do not need to be registered with the server, the fact that their certificate is signed by the CA certificate which is loaded into the server proves that they are authorized.

The public part of the CA needs to be stored at the server and all clients so they can check that the other side's certificate is properly signed.

The private key of the CA must never be shared anywhere. It is used only out of band to sign new certificates. Some use cases will sign a batch of certificates then destroy the CA private key to guarantee that no more certificates can be made against that CA.

The server has the server certificate and private key. Each client has their individual client certificate and private key. The private keys must be kept secret from everyone else.

1 Like

This will work. With the security caveat mentioned by @mk24, you'd use this directive to allow multiple clients to use the same keys/certs (the following in UCI formatting):

	option duplicate_cn '1'

thanks psherman.
I tried this, but it seems not to work as both laptops are assigned the same IP address and so it seems to switch the connection to either one or the other, but not both.

In my experience (and I haven't tried this in a while), OpenVPN server will assign the next available IP in its pool to the 2nd client. If this is still true/possible, it will obviously require that OpenVPN is in tun mode, with a large enough subnet definition.

It's possible it no longer works, though.

Another alternative, BTW, is to use WireGuard instead of OpenVPN. It is higher performance/faster (and requires fewer resources than OpenWrt), and it is far easier to configure. You can easily add multiple "client" peers to the configuration (each will be unique) and generating key-pairs for this purpose is almost trivially easy.