From: Jan J. K. <ja...@ni...> - 2010-03-17 11:29:39
|
Hi Zeljko, yegle wrote: > run a --client-connect script to check if there is a user with this > common name is connect through the management interface? > > On Wed, Mar 17, 2010 at 6:15 PM, Zeljko Cvenic <der...@gm... > <mailto:der...@gm...>> wrote: > > Hello, > > i need to prevent that two (or many) different users who share > same certificate and password (without my knowledge), can connect > at same time. > I know it's possible to achieve that when *--duplicate-cn *is > removed from server config file. > But side-effects are that when one user connects other is > disconnected. > If it is possible, i would want that the first connected user > keeps connection, while second will be rejected. > I search everywhere (manual, forum, mailing list, FAQ, wiki) but > without success. > Maybe the problem is trivial with some switch, but i can't find it. > interesting problem - I guess it proves that you should never hand out the same cert to multiple persons *unless* you want to use 'duplicate-cn' ; yegle's answer is right: currently the only way to do this is to use a 'client-connect' script. The underlying problem is that when you use --server you also get --float which causes openvpn to disconnect the first client when the second connects; unfortunately there's no way to say --server --nofloat which would also solve your problem I will bring this up with the developers to see if it is a valid request (it's easy enough to add). HTH, JJK |