Duplicate-cn option in OpenVPN server in Lede

Hello

I'm setting up the OpenVPN server on my router. Following the guide here: https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup

The process seems simple. I managed to get the server set up & am able to connect to the server through some other network. Looks great here.

However, when I find more devices to connect to the server, it turns out the connection is not stable. Due to my experience to setup the OpenVPN server in Ubuntu, I guess it could be they are using the same ovpn file and thus the common name is exactly the same. By enable the simultaneous connection with same CN, a option named "duplicate-cn" should be configured in server configuration.

But the issue comes that I can't manage to find how to enable that in Lede OpenVPN. At least tried two ways below but not working:

  1. Add line "option duplicate-cn '1'" to "vpnserver" section of /etc/config/openvpn and reboot
    The VPN server can still work but seems the option is not working.
  2. execute command "uci set openvpn.vpnserver.duplicate-cn='1'" on CLI
    Just get "uci: Parse error"

What could be the correct way to enable that in Lede OpenVPN? For the potential risk by using "duplicate-cn", actually I am only using the OpenVPN home to manage some of my home device, thus I'm not concerned about the risk.

Br, Javen

Duplicate CNs means you are using the same certificate at multiple users, which is generally not a good idea. Make unique certificates for each user.

I think it may be that you are using 'duplicate-cn' rather than 'duplicate_cn'. UCI will parse the latter back to the former when passing the config to openvpn.

I usually just use the uci config file to point to an .ovpn file. Place all configuration in that file in the conventional format according to OpenVPN documentation.

    option config '/etc/openvpn/myconfig.ovpn'
1 Like

Thank you. "duplicate_cn" works in my case.

You can also rename your .ovpn file to .conf and place it into /etc/openvpn/, then you do not need to touch uci at all.