Feature #12267
closedOpenVPN option to limit concurrent connections per user
Added by Marcos M over 3 years ago. Updated over 2 years ago.
100%
Description
It's beneficial to be able to limit the total number of connections allowed per user when Duplicate Connection is used.
In can also help in situations where a single user uses up a significant proportion of the total concurrent connection limit.
Files
0db0820b4a8a54412d9389a236e67f08fdd8acc7.diff (18.9 KB) 0db0820b4a8a54412d9389a236e67f08fdd8acc7.diff | Marcos M, 01/16/2022 10:30 AM |
Updated by Marcos M over 3 years ago
There's an example here on how to accomplish this:
https://serverfault.com/questions/850599/permit-only-n-connection-for-a-user-config-in-openvpn/850889
Updated by Marcos M about 3 years ago
Updated by Jim Pingle about 3 years ago
- Status changed from New to Pull Request Review
- Assignee set to Marcos M
- Target version set to CE-Next
- Plus Target Version set to Plus-Next
Updated by Viktor Gurov about 3 years ago
- Status changed from Pull Request Review to Feedback
Merged
Updated by Max Leighton about 3 years ago
Tested with
2.6.0-DEVELOPMENT (amd64)
built on Sat Nov 20 06:21:37 UTC 2021
FreeBSD 12.3-PRERELEASE
It works. After setting the duplicate connection limit, any connections over the limit receive auth failures. It might be useful to hide the Duplicate Connection Limit input field until the Duplicate Connection check box is ticked.
Updated by Viktor Gurov about 3 years ago
Max Leighton wrote in #note-5:
It works. After setting the duplicate connection limit, any connections over the limit receive auth failures. It might be useful to hide the Duplicate Connection Limit input field until the Duplicate Connection check box is ticked.
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/470
Updated by Jim Pingle about 3 years ago
- Status changed from Feedback to Pull Request Review
- Assignee changed from Marcos M to Viktor Gurov
- Target version changed from CE-Next to 2.6.0
- Plus Target Version changed from Plus-Next to 22.01
Updated by Viktor Gurov about 3 years ago
- Status changed from Pull Request Review to Feedback
Merged
Updated by Jim Pingle almost 3 years ago
- Status changed from Resolved to New
The commit for this, 7aaa20d95a345c4688e8786c755c7d0433451688 , broke static IP address assignments from RADIUS.
Updated by Jim Pingle almost 3 years ago
- Target version changed from 2.6.0 to CE-Next
- Plus Target Version changed from 22.01 to 22.05
Commit reverted. We can revisit this in the next release.
Updated by Phil Wardt almost 3 years ago
Jim Pingle wrote in #note-11:
Commit reverted. We can revisit this in the next release.
Instead of this shell hack, is it possible to allow per-certificate connection like pointed in the https://serverfault.com/questions/850599/permit-only-n-connection-for-a-user-config-in-openvpn/850889
Currently, I tried to add a second certificate to one user. The OpenVPN Client Export Tab properly shows the new client export option. That is the user has now two client configs to export
However, when connecting 2 clients with the two different profiles, the second connection is accepted, but the first connection will be broken.
This seems the better way to to go, that is the option to allow one connection per user should be one connection per certificate
Note: I have the option "Strict User-CN Matching" enabled, not sure if each certificate would need a different CN for this to work
Updated by Marcos M almost 3 years ago
There could be additional code to address the behavior with certs differently, however it wouldn't be "instead of" since it's also a useful feature for User Auth RA servers.
Updated by Jim Pingle almost 3 years ago
Phil Wardt wrote in #note-12:
Note: I have the option "Strict User-CN Matching" enabled, not sure if each certificate would need a different CN for this to work
For the connection to be unique, the CN must be unique. If you have "username as common name" enabled that means a different auth username. If you have that option disabled, the the certificate CN must be different.
Updated by Phil Wardt almost 3 years ago
Jim Pingle wrote in #note-14:
Phil Wardt wrote in #note-12:
Note: I have the option "Strict User-CN Matching" enabled, not sure if each certificate would need a different CN for this to work
For the connection to be unique, the CN must be unique. If you have "username as common name" enabled that means a different auth username. If you have that option disabled, the the certificate CN must be different.
Thank you for the confirmation. That's what I though after reading about the 'duplicate-cn' option. In the end, both ways, you always need a different CN unless no limitation at all is fixed for the number of connections /user
For large organisations, dropping "Strict User-CN Matching" option can be a risk. I personally prefer one device certificate per user until another option comes. I'll wait for it.
Updated by Marcos M almost 3 years ago
- File 0db0820b4a8a54412d9389a236e67f08fdd8acc7.diff 0db0820b4a8a54412d9389a236e67f08fdd8acc7.diff added
New MR including fix to client-specific configuration not applying (static address issue): https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/694
Patch attached that can be applied to 22.01 - make sure to run chmod 755 /usr/local/sbin/openvpn.connect_async.sh
after applying the patch.
Updated by Marcos M almost 3 years ago
- Status changed from New to Pull Request Review
Updated by Ryan Coleman over 2 years ago
Marcos Mendoza wrote in #note-16:
New MR including fix to client-specific configuration not applying (static address issue): https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/694
Patch attached that can be applied to 22.01 - make sure to run
chmod 755 /usr/local/sbin/openvpn.connect_async.sh
after applying the patch.
Tested patch against multiple connections. Set limit to "2", logged in from phone and tablet and then tested against laptop (on 7100 running 22.01 RELEASE)
Mar 29 22:38:54 firewall openvpn[56228]: 123.45.67.89:23111 [username] Peer Connection Initiated with [AF_INET]123.45.67.89:23111 Mar 29 22:38:54 firewall openvpn[79065]: user 'username' authenticated Mar 29 22:38:54 firewall openvpn[56228]: username/123.45.67.89:23111 MULTI_sva: pool returned IPv4=10.199.1.4, IPv6=(Not enabled) Mar 29 22:38:54 firewall openvpn[80042]: openvpn server 'ovpns2' user 'username' address '123.45.67.89:23111' - connecting Mar 29 22:38:54 firewall openvpn[82955]: openvpn server 'ovpns2' user 'username' address '123.45.67.89:23111' - active connection limit of '2' reached Mar 29 22:38:54 firewall openvpn[56228]: username/123.45.67.89:23111 MULTI: deferred --client-connect script returned CC_RET_FAILED
Updated by Jim Pingle over 2 years ago
- Target version changed from CE-Next to 2.7.0
Updated by Marcos M over 2 years ago
- % Done changed from 0 to 100
Applied in changeset 70e7b0c12a16143293b7e05f66ac4f9995bc4cb9.
Updated by Jim Pingle over 2 years ago
- Status changed from Feedback to Resolved