pfSense

There's an example here on how to accomplish this:
https://serverfault.com/questions/850599/permit-only-n-connection-for-a-user-config-in-openvpn/850889

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/402

Tested with

2.6.0-DEVELOPMENT (amd64)
built on Sat Nov 20 06:21:37 UTC 2021
FreeBSD 12.3-PRERELEASE

It works. After setting the duplicate connection limit, any connections over the limit receive auth failures. It might be useful to hide the Duplicate Connection Limit input field until the Duplicate Connection check box is ticked.

Max Leighton wrote in #note-5:

It works. After setting the duplicate connection limit, any connections over the limit receive auth failures. It might be useful to hide the Duplicate Connection Limit input field until the Duplicate Connection check box is ticked.

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/470

Jim Pingle wrote in #note-11:

Commit reverted. We can revisit this in the next release.

Instead of this shell hack, is it possible to allow per-certificate connection like pointed in the https://serverfault.com/questions/850599/permit-only-n-connection-for-a-user-config-in-openvpn/850889
Currently, I tried to add a second certificate to one user. The OpenVPN Client Export Tab properly shows the new client export option. That is the user has now two client configs to export
However, when connecting 2 clients with the two different profiles, the second connection is accepted, but the first connection will be broken.

This seems the better way to to go, that is the option to allow one connection per user should be one connection per certificate

Note: I have the option "Strict User-CN Matching" enabled, not sure if each certificate would need a different CN for this to work

There could be additional code to address the behavior with certs differently, however it wouldn't be "instead of" since it's also a useful feature for User Auth RA servers.

Phil Wardt wrote in #note-12:

Note: I have the option "Strict User-CN Matching" enabled, not sure if each certificate would need a different CN for this to work

For the connection to be unique, the CN must be unique. If you have "username as common name" enabled that means a different auth username. If you have that option disabled, the the certificate CN must be different.

Jim Pingle wrote in #note-14:

Phil Wardt wrote in #note-12:

Note: I have the option "Strict User-CN Matching" enabled, not sure if each certificate would need a different CN for this to work

For the connection to be unique, the CN must be unique. If you have "username as common name" enabled that means a different auth username. If you have that option disabled, the the certificate CN must be different.

Thank you for the confirmation. That's what I though after reading about the 'duplicate-cn' option. In the end, both ways, you always need a different CN unless no limitation at all is fixed for the number of connections /user
For large organisations, dropping "Strict User-CN Matching" option can be a risk. I personally prefer one device certificate per user until another option comes. I'll wait for it.

Marcos Mendoza wrote in #note-16:

New MR including fix to client-specific configuration not applying (static address issue): https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/694

Patch attached that can be applied to 22.01 - make sure to run chmod 755 /usr/local/sbin/openvpn.connect_async.sh after applying the patch.

Tested patch against multiple connections. Set limit to "2", logged in from phone and tablet and then tested against laptop (on 7100 running 22.01 RELEASE)

Mar 29 22:38:54 firewall openvpn[56228]: 123.45.67.89:23111 [username] Peer Connection Initiated with [AF_INET]123.45.67.89:23111
Mar 29 22:38:54 firewall openvpn[79065]: user 'username' authenticated
Mar 29 22:38:54 firewall openvpn[56228]: username/123.45.67.89:23111 MULTI_sva: pool returned IPv4=10.199.1.4, IPv6=(Not enabled)
Mar 29 22:38:54 firewall openvpn[80042]: openvpn server 'ovpns2' user 'username' address '123.45.67.89:23111' - connecting
Mar 29 22:38:54 firewall openvpn[82955]: openvpn server 'ovpns2' user 'username' address '123.45.67.89:23111' - active connection limit of '2' reached
Mar 29 22:38:54 firewall openvpn[56228]: username/123.45.67.89:23111 MULTI: deferred --client-connect script returned CC_RET_FAILED