1

I've got an OpenVPN setup, wherein the entire class of clients (embedded devices) share the same client certificate.

They are however distinguishable by their hostnames (which is derived from the hardware ID anyways) - I would like to be able to distinguish between them serverside, whether by assigning them different IP addresses (I know all the hostnames out there), or by assigning them different dynamic DNS entries in a zone under my control.

Either option is fine - but how do I get this information from a client into a script serverside?

qdot
  • 138
  • 1
  • 8

1 Answers1

4

OpenVPN doesn't seem to provide any information about a client other than common name, so there isn't a nice way to do this. You could however hack something together by using username/password authentication in addition to certificate authentication, with the username being unique for each device.

In the server configuration:

auth-user-pass-verify /etc/openvpn/auth-accept.sh via-env
auth-user-pass-optional
username-as-common-name

Don't set client-cert-not-required -- the real authentication is still going to be done using certificates. auth-accept.sh is a dummy script which always indicates successful authentication:

#!/bin/sh
exit 0

The clients should then be configured to provide username/password authentication (as well as certificate authentication):

auth-user-pass /etc/openvpn/devicename

devicename then contains a unique username for each device and a dummy password:

device001
password
mgorven
  • 30,615
  • 7
  • 79
  • 122