Re: [Openvpn-users] Help forbid many users-one certificate connection without disconnecting first user !

[Jan J. K. <ja...@ni...>]

Hi Zeljko,

yegle wrote:
> run a --client-connect script to check if there is a user with this 
> common name is connect through the management interface?
>
> On Wed, Mar 17, 2010 at 6:15 PM, Zeljko Cvenic <der...@gm... 
> <mailto:der...@gm...>> wrote:
>
>     Hello,
>      
>     i need to prevent that two (or many)  different users who share 
>     same certificate and password (without my knowledge), can connect
>     at same time.
>     I know  it's  possible to achieve that when *--duplicate-cn  *is
>     removed from server config file.
>     But side-effects are that when one user connects other is 
>     disconnected.
>     If it is possible, i would want that the first connected user
>     keeps connection, while second will be rejected.
>     I search everywhere (manual, forum, mailing list, FAQ, wiki) but
>     without success.
>     Maybe the problem is trivial with some switch, but i can't find it.
>
interesting problem - I guess it proves that you should never hand out 
the same cert to multiple persons *unless* you want to use 
'duplicate-cn' ; yegle's answer is right: currently the only way to do 
this is to use a 'client-connect' script.

The underlying problem is that when you use
  --server
you also get
  --float
which causes openvpn to disconnect the first client when the second 
connects; unfortunately there's no way to say
  --server
  --nofloat
which would also solve your problem
I will bring this up with the developers to see if it is a valid request 
(it's easy enough to add).

HTH,

JJK