Project

General

Profile

Actions

Feature #12267

open

OpenVPN option to limit concurrent connections per user

Added by Marcos Mendoza 9 months ago. Updated about 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default

Description

It's beneficial to be able to limit the total number of connections allowed per user when Duplicate Connection is used.

In can also help in situations where a single user uses up a significant proportion of the total concurrent connection limit.


Files

Actions #3

Updated by Jim Pingle 7 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Marcos Mendoza
  • Target version set to CE-Next
  • Plus Target Version set to Plus-Next
Actions #4

Updated by Viktor Gurov 6 months ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #5

Updated by Max Leighton 6 months ago

Tested with

2.6.0-DEVELOPMENT (amd64)
built on Sat Nov 20 06:21:37 UTC 2021
FreeBSD 12.3-PRERELEASE

It works. After setting the duplicate connection limit, any connections over the limit receive auth failures. It might be useful to hide the Duplicate Connection Limit input field until the Duplicate Connection check box is ticked.

Actions #6

Updated by Viktor Gurov 6 months ago

Max Leighton wrote in #note-5:

It works. After setting the duplicate connection limit, any connections over the limit receive auth failures. It might be useful to hide the Duplicate Connection Limit input field until the Duplicate Connection check box is ticked.

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/470

Actions #7

Updated by Jim Pingle 6 months ago

  • Status changed from Feedback to Pull Request Review
  • Assignee changed from Marcos Mendoza to Viktor Gurov
  • Target version changed from CE-Next to 2.6.0
  • Plus Target Version changed from Plus-Next to 22.01
Actions #8

Updated by Viktor Gurov 6 months ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #9

Updated by Marcos Mendoza 6 months ago

  • Status changed from Feedback to Resolved

Tested, looks good.

Actions #10

Updated by Jim Pingle 5 months ago

  • Status changed from Resolved to New

The commit for this, 7aaa20d95a345c4688e8786c755c7d0433451688 , broke static IP address assignments from RADIUS.

Actions #11

Updated by Jim Pingle 5 months ago

  • Target version changed from 2.6.0 to CE-Next
  • Plus Target Version changed from 22.01 to 22.05

Commit reverted. We can revisit this in the next release.

Actions #12

Updated by Phil Wardt 4 months ago

Jim Pingle wrote in #note-11:

Commit reverted. We can revisit this in the next release.

Instead of this shell hack, is it possible to allow per-certificate connection like pointed in the https://serverfault.com/questions/850599/permit-only-n-connection-for-a-user-config-in-openvpn/850889
Currently, I tried to add a second certificate to one user. The OpenVPN Client Export Tab properly shows the new client export option. That is the user has now two client configs to export
However, when connecting 2 clients with the two different profiles, the second connection is accepted, but the first connection will be broken.

This seems the better way to to go, that is the option to allow one connection per user should be one connection per certificate

Note: I have the option "Strict User-CN Matching" enabled, not sure if each certificate would need a different CN for this to work

Actions #13

Updated by Marcos Mendoza 4 months ago

There could be additional code to address the behavior with certs differently, however it wouldn't be "instead of" since it's also a useful feature for User Auth RA servers.

Actions #14

Updated by Jim Pingle 4 months ago

Phil Wardt wrote in #note-12:

Note: I have the option "Strict User-CN Matching" enabled, not sure if each certificate would need a different CN for this to work

For the connection to be unique, the CN must be unique. If you have "username as common name" enabled that means a different auth username. If you have that option disabled, the the certificate CN must be different.

Actions #15

Updated by Phil Wardt 4 months ago

Jim Pingle wrote in #note-14:

Phil Wardt wrote in #note-12:

Note: I have the option "Strict User-CN Matching" enabled, not sure if each certificate would need a different CN for this to work

For the connection to be unique, the CN must be unique. If you have "username as common name" enabled that means a different auth username. If you have that option disabled, the the certificate CN must be different.

Thank you for the confirmation. That's what I though after reading about the 'duplicate-cn' option. In the end, both ways, you always need a different CN unless no limitation at all is fixed for the number of connections /user
For large organisations, dropping "Strict User-CN Matching" option can be a risk. I personally prefer one device certificate per user until another option comes. I'll wait for it.

Actions #16

Updated by Marcos Mendoza 4 months ago

New MR including fix to client-specific configuration not applying (static address issue): https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/694

Patch attached that can be applied to 22.01 - make sure to run chmod 755 /usr/local/sbin/openvpn.connect_async.sh after applying the patch.

Actions #17

Updated by Marcos Mendoza 4 months ago

  • Status changed from New to Pull Request Review
Actions #18

Updated by Ryan Coleman about 2 months ago

Marcos Mendoza wrote in #note-16:

New MR including fix to client-specific configuration not applying (static address issue): https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/694

Patch attached that can be applied to 22.01 - make sure to run chmod 755 /usr/local/sbin/openvpn.connect_async.sh after applying the patch.

Tested patch against multiple connections. Set limit to "2", logged in from phone and tablet and then tested against laptop (on 7100 running 22.01 RELEASE)

Mar 29 22:38:54 firewall openvpn[56228]: 123.45.67.89:23111 [username] Peer Connection Initiated with [AF_INET]123.45.67.89:23111
Mar 29 22:38:54 firewall openvpn[79065]: user 'username' authenticated
Mar 29 22:38:54 firewall openvpn[56228]: username/123.45.67.89:23111 MULTI_sva: pool returned IPv4=10.199.1.4, IPv6=(Not enabled)
Mar 29 22:38:54 firewall openvpn[80042]: openvpn server 'ovpns2' user 'username' address '123.45.67.89:23111' - connecting
Mar 29 22:38:54 firewall openvpn[82955]: openvpn server 'ovpns2' user 'username' address '123.45.67.89:23111' - active connection limit of '2' reached
Mar 29 22:38:54 firewall openvpn[56228]: username/123.45.67.89:23111 MULTI: deferred --client-connect script returned CC_RET_FAILED
Actions #19

Updated by Viktor Gurov about 2 months ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #20

Updated by Jim Pingle about 2 months ago

  • Target version changed from CE-Next to 2.7.0
Actions #21

Updated by Marcos Mendoza about 2 months ago

  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF