OpenVPN: Allow/Deny Multiple Connections Per User (Certificate)

PowerADM.com / Linux / OpenVPN: Allow/Deny Multiple Connections Per User (Certificate)

OpenVPN allows you to allow multiple concurrent user connections with the same certificate. To do this, the duplicate-cn option is used in the server.conf configuration file.

If a second user with the same certificate connects to the OpenVPN server without the duplicate-cn option, then the session of the first user will be terminated. With the duplicate-cn option, your OpenVPN server will be able to support multiple active connections with a single certificate. The number of such simultaneous sessions can be limited by the script.

openvpn allow multiple connections with the same certificate

The certificates of OpenVPN clients configured over TCP conflict with each other if multiple devices are connected with the same certificate. When using the UDP protocol as the OpenVPN transport, the same certificates do not cause a conflict.

Let’s see how to allow concurrent connections on the OpenVPN server and limit their number.

Add the following parameters to the server configuration file:

duplicate-cn
script-security 2
up /etc/openvpn/connection_sript.sh
client-connect /etc/openvpn/connection_sript.sh
client-disconnect /etc/openvpn/connection_sript.sh

  • duplicate-cn — allows simultaneous connections
  • script-security 2 — allows external scripts to run
  • up, client-connect, client-disconnect – environment variables to pass to the script

Create a script file /etc/openvpn/connection_sript.sh with the following code:

#!/bin/bash
PERSIST_DIR=/tmp/open
mkdir -p $PERSIST_DIR
# $PERSIST_DIR must be owned by the user running OpenVPN chown nobody:nobody $PERSIST_DIR
function handle_connect {
CLIENTFILE=$PERSIST_DIR/$common_name
if [ -e "$CLIENTFILE" ]; then
NUMCONN=$(cat $CLIENTFILE)
NEWCONN=$(expr $NUMCONN + 1)
# allow no more than one concurrent connection with the same certificate 
if [ $NEWCONN -gt 1 ]; then exit 1; fi
echo $NEWCONN >$CLIENTFILE
else
echo 1 >$CLIENTFILE
fi
}

function handle_disconnect {
CLIENTFILE=$PERSIST_DIR/$common_name
if [ -e "$CLIENTFILE" ]; then
NUMCONN=$(cat $CLIENTFILE)
NEWCONN=$(expr $NUMCONN - 1)
echo $NEWCONN >$CLIENTFILE
fi
}
case "$script_type" in
  up)
      rm -f $PERSIST_DIR/$common_name
      ;;
  client-connect)
      "handle_connect"
      ;;
  client-disconnect)
      "handle_disconnect"
      ;;
esac

Then set the script permissions:

# chown nobody:nobody connectScript.sh
# chmod 755 connectScript.sh

Validate the configuration and restart the service:

# openvpn --config openvpn.conf
# service openvpn restart

Add the following parameter to the configuration file on the OpenVPN client side:

explicit-exit-notify

This option causes the client to notify the server that the session has been disconnected.

Leave a Reply

Your email address will not be published. Required fields are marked *