-
-
-
-
- CDemu - a free, gpl cd/dvd-rom device emulator for linux
- ignis backup tool - the heat-strengthened backup tool
-
- January 2012 (1)
- December 2011 (4)
- November 2011 (1)
- August 2011 (1)
- March 2011 (1)
- October 2010 (1)
- May 2010 (3)
- January 2010 (1)
- September 2009 (1)
- August 2009 (5)
- July 2009 (5)
- June 2009 (4)
- May 2009 (1)
- April 2009 (1)
- January 2009 (1)
- December 2008 (6)
- November 2008 (6)
- October 2008 (2)
- September 2008 (11)
- August 2008 (4)
- July 2008 (7)
- June 2008 (2)
- May 2008 (7)
- April 2008 (5)
- March 2008 (9)
- February 2008 (15)
- January 2008 (11)
- December 2007 (3)
ovpnCNcheck — an OpenVPN tls-verify script
February 2, 2008
If you’ve running an OpenVPN server you may have asked yourself how you can decide which clients can connect even if they got signed by the same CA. A common case would arises if you provide more than one OpenVPN server but not all clients should be able to connect to every one. Sure it would be possible to use a separate CA for each server but that would not be flexible. The clients would need more than one certificate/key pair and if you want to enable/disable access to a certain server for a client you need to generate/revoke the client certificate. Not a good idea!
I’ve therefore written two scripts with solve this problem. These scripts check if the peer is in the allowed user list by checking the CN (common name) of the X.509 certificate against a provided text file. For example in OpenVPN, you could use the directive:
tls-verify "/usr/local/sbin/ovpnCNcheck.py /etc/openvpn/userlist.txt"
This would cause the connection to be dropped unless the client common name is within the userlist.txt. The bash script will just check if a common name is in one of the lines (one CN per line) and the python version parses the provided regular expressions. Every line should hold one regular expression in this case which can also be just one common name (don’t forget to escape stuff like .?^()[]\ with a \). Empty lines or ones which start with a # are ignored. The bash version works also on a “out of the box†OpenWRT installation.
Python version: ovpncncheck.py
Bash version: ovpncncheck.sh
Hope it helps you!
4 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress
Entries and comments feeds.
Valid XHTML and CSS.
17 queries. 0.076 seconds.
[...] if there is interest I can show some stuff I use to extend this setup. I’ve also written a blog post some time ago which is interesting for you if you use the same CA for different VPN Server and want [...]
Pingback by Howto connect multiple networks over the Internet the cheap way | Robert Penz Blog — October 17, 2010 #
Hi,
can you give me an example for
/etc/openvpn/userlist.txt
Comment by Martin Popov — October 31, 2011 #
An example would be:
.*\.client\.penz\.name
Comment by robert — October 31, 2011 #
Hi,
your script works very well!
Perhaps you’ve seen the news that the Dutch goverment has a modified version of openvpn (which is still open source and they’ve send a lot of patches upstream): openvpn-NL; which uses polarssl.
However, polarssl uses another seperating character for the CN: “__” instead of “/”. So in order for your script to work with polarssl the regex needs to be changed so that it matches the __. I have done so for my own installation (re.compile(r”__CN=(?P[^/]+)”).search(x509)). Perhaps you could update your script so that it works with both openssl and polarssl?
Cheers,
Jaap
Comment by Jaap — November 26, 2011 #