OpenVPN allows you to allow multiple concurrent user connections with the same certificate. To do this, the duplicate-cn option is used in the server.conf configuration file.
If a second user with the same certificate connects to the OpenVPN server without the duplicate-cn option, then the session of the first user will be terminated. With the duplicate-cn option, your OpenVPN server will be able to support multiple active connections with a single certificate. The number of such simultaneous sessions can be limited by the script.
Let’s see how to allow concurrent connections on the OpenVPN server and limit their number.
Add the following parameters to the server configuration file:
duplicate-cn
script-security 2
up /etc/openvpn/connection_sript.sh
client-connect /etc/openvpn/connection_sript.sh
client-disconnect /etc/openvpn/connection_sript.sh
- duplicate-cn — allows simultaneous connections
- script-security 2 — allows external scripts to run
- up, client-connect, client-disconnect – environment variables to pass to the script
Create a script file /etc/openvpn/connection_sript.sh with the following code:
#!/bin/bash
PERSIST_DIR=/tmp/open
mkdir -p $PERSIST_DIR
# $PERSIST_DIR must be owned by the user running OpenVPN chown nobody:nobody $PERSIST_DIR
function handle_connect {
CLIENTFILE=$PERSIST_DIR/$common_name
if [ -e "$CLIENTFILE" ]; then
NUMCONN=$(cat $CLIENTFILE)
NEWCONN=$(expr $NUMCONN + 1)
# allow no more than one concurrent connection with the same certificate
if [ $NEWCONN -gt 1 ]; then exit 1; fi
echo $NEWCONN >$CLIENTFILE
else
echo 1 >$CLIENTFILE
fi
}
function handle_disconnect {
CLIENTFILE=$PERSIST_DIR/$common_name
if [ -e "$CLIENTFILE" ]; then
NUMCONN=$(cat $CLIENTFILE)
NEWCONN=$(expr $NUMCONN - 1)
echo $NEWCONN >$CLIENTFILE
fi
}
case "$script_type" in
up)
rm -f $PERSIST_DIR/$common_name
;;
client-connect)
"handle_connect"
;;
client-disconnect)
"handle_disconnect"
;;
esac
Then set the script permissions:
# chown nobody:nobody connectScript.sh
# chmod 755 connectScript.sh
Validate the configuration and restart the service:
# openvpn --config openvpn.conf
# service openvpn restart
Add the following parameter to the configuration file on the OpenVPN client side:
explicit-exit-notify
This option causes the client to notify the server that the session has been disconnected.