Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Show authenticated user in new MVC OpenVPN status view #7834

Closed
2 tasks done
pmhausen opened this issue Sep 1, 2024 · 1 comment
Closed
2 tasks done

Show authenticated user in new MVC OpenVPN status view #7834

pmhausen opened this issue Sep 1, 2024 · 1 comment
Assignees
@AdSchellevis
Labels
feature Adding new functionality

Comments

@pmhausen
Copy link
Contributor

pmhausen commented Sep 1, 2024
edited
Loading

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Is your feature request related to a problem? Please describe.

I am in the process of migrating a legacy pfSense VPN gateway to OPNsense 24.7.

  • We use a single server and a single client certificate for all connections.
  • Users are additionally authenticated by username and password against Active Directory over LDAPS.
  • Users are not imported into OPNsense.

Therefore all users share the same CN because they share the same certificate. This leads to the OpenVPN connection status view to show the same Common Name for all logged in users.

pfSense on the other hand shows the authenticated user names instead of the certificate CN.

I initially opened the topic for general discussion on the forum because I am not sure what is the best solution for this. More below. My post (unfortunately without answers) with screen shots can be found here:

https://forum.opnsense.org/index.php?topic=42255.msg208481#msg208481

Describe the solution you like

I'd like to have the username field shown in the status line for each connection in addition to or instead of the common_name field.

The reason I cannot hand you a merge request right away is that I am not familiar enough with OpenVPN to know how all of this works together. When I brute force search and replace common_name with username in status.volt the username is displayed in the overview. But that will certainly break at least the kill_session function so it's not a complete solution - therefore no merge request, sorry.

Also I am not sure kill_session will enable me to terminate a single connection because according to the comments and the code it goes by CN and all CNs are the same. It would also be great if I could "X" a single authenticated connection even when the CN is the same for all of them but the username is different.

Kind regards,
Patrick
@AdSchellevis AdSchellevis self-assigned this Sep 1, 2024
@AdSchellevis AdSchellevis added the feature Adding new functionality label Sep 1, 2024
fichtner pushed a commit that referenced this issue Sep 2, 2024
@AdSchellevis @fichtner
VPN: OpenVPN: Connection Status - add username field to the grid, closes
777da55 
 #7834

Although we recommend using matching CN's and usernames, it is possible to share a certificate. Since the datafeed already contains the username, let's add the field to the grid.

(cherry picked from commit 7d5d2f2)
@pmhausen
Copy link
Contributor Author

pmhausen commented Sep 3, 2024

Thanks a lot for that quick reaction. As I found out it is sufficient to enable the advanced option "Username as CN" to get the behaviour of the old gateway back. Of course "Strict User/CN Matching" must be disabled in our case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AdSchellevis AdSchellevis

Labels
feature Adding new functionality
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AdSchellevis @pmhausen