[Solved]Multiple Clients for openVPN Server on OpenWrt/LEDE

maxduckduck · June 11, 2018, 11:57pm

Hi

I have a Linksys WRT1900ACv2 with Firmware Version LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch (git-17.290.79498-d3f0685) Kernel Version 4.4.92.

I used the following link to install openVPN Server:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup

This is an awesome guide, thankyou to the creators.

I would like to be able to have 2 or more simultaneous connections. Currently i use "my-server.ovpn" on the client to connect. I have this file on a windows PC and an android phone and both work fine but only one or the other. I assume I need a second ovpn file but the solution to creating this eludes me. What would be the best solution here?

psherman · June 12, 2018, 12:37am

There are two ways to do this:

create additional client keys & certificates such that each client has a unique set.
or
enable the option to have multiple instances of the same client (as identified by the cert/key).
option duplicate_cn '1'

Option 1 should in theory provide better security since you can monitor the actual device(s) connected and revoke keys if necessary without having to recreate and reissue all your keys/certs. Option 2 is a bit more brute-force but it does work using the same keys/certs, at the expense of security and easy info on the specific client(s) connecting to your VPN.

maxduckduck · June 12, 2018, 1:06am

Thanks, option 2 definitely looks the easiest and would definitely suit my situation.

For option 1 how would I go about creating new key and certificate using my Linksys? Can it be done with a script?

psherman · June 12, 2018, 4:29am

For implementing option 1, you’d simply follow the same process you did when generating the keys and certs originally. Just creating multiple client certs.

JW0914 · June 12, 2018, 5:22pm

This is never recommended, as it's a tremendous security risk.

The correct way is to generate certs for each individual client (2 commands, 3 if exporting to PKCS12).
- See OpenSSL Certificates wiki

maxduckduck · June 13, 2018, 11:37am

Thank you both @psherman and @JW0914.

I went with @psherman option 1, was a bit easier for me.

Ended up adding something like the following in "create-certs.sh" script:
Generating Client Cert & Key Section

openssl req -batch -nodes -new -keyout "my-client.key" -out "my-client.csr" -subj "/CN=my-client" -config ${PKI_CNF}
openssl req -batch -nodes -new -keyout "my-client02.key" -out "my-client02.csr" -subj "/CN=my-client02" -config ${PKI_CNF}

Signing Client Cert Section

openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "my-client.csr" -out "my-client.crt" -config ${PKI_CNF} -extensions my-client
openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "my-client02.csr" -out "my-client02.crt" -config ${PKI_CNF} -extensions my-client

Copying Certs & Keys Section

cp ca.crt my-server.* my-client*.* dh2048.pem tls-auth.key /etc/openvpn

I ended up doing a clean install so also changed "create-ovpn.sh" and "copy-certs.sh" to reflect the file name change.

Everything seems OK now.

tmomas · June 13, 2018, 8:42pm

If your problem is solved, please consider marking this topic as [Solved].