[Solved]Multiple Clients for openVPN Server on OpenWrt/LEDE


I have a Linksys WRT1900ACv2 with Firmware Version LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch (git-17.290.79498-d3f0685) Kernel Version 4.4.92.

I used the following link to install openVPN Server:

This is an awesome guide, thankyou to the creators.

I would like to be able to have 2 or more simultaneous connections. Currently i use "my-server.ovpn" on the client to connect. I have this file on a windows PC and an android phone and both work fine but only one or the other. I assume I need a second ovpn file but the solution to creating this eludes me. What would be the best solution here?

There are two ways to do this:

  1. create additional client keys & certificates such that each client has a unique set.
  2. enable the option to have multiple instances of the same client (as identified by the cert/key).
    option duplicate_cn '1'

Option 1 should in theory provide better security since you can monitor the actual device(s) connected and revoke keys if necessary without having to recreate and reissue all your keys/certs. Option 2 is a bit more brute-force but it does work using the same keys/certs, at the expense of security and easy info on the specific client(s) connecting to your VPN.

Thanks, option 2 definitely looks the easiest and would definitely suit my situation.

For option 1 how would I go about creating new key and certificate using my Linksys? Can it be done with a script?

For implementing option 1, you’d simply follow the same process you did when generating the keys and certs originally. Just creating multiple client certs.

This is never recommended, as it's a tremendous security risk.

  • The correct way is to generate certs for each individual client (2 commands, 3 if exporting to PKCS12).

Thank you both @psherman and @JW0914.

I went with @psherman option 1, was a bit easier for me.

Ended up adding something like the following in "create-certs.sh" script:
Generating Client Cert & Key Section

openssl req -batch -nodes -new -keyout "my-client.key" -out "my-client.csr" -subj "/CN=my-client" -config ${PKI_CNF}
openssl req -batch -nodes -new -keyout "my-client02.key" -out "my-client02.csr" -subj "/CN=my-client02" -config ${PKI_CNF}

Signing Client Cert Section

openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "my-client.csr" -out "my-client.crt" -config ${PKI_CNF} -extensions my-client
openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "my-client02.csr" -out "my-client02.crt" -config ${PKI_CNF} -extensions my-client

Copying Certs & Keys Section

cp ca.crt my-server.* my-client*.* dh2048.pem tls-auth.key /etc/openvpn

I ended up doing a clean install so also changed "create-ovpn.sh" and "copy-certs.sh" to reflect the file name change.

Everything seems OK now.

If your problem is solved, please consider marking this topic as [Solved].