Panel: "OpenVPN Server: Allowed Clients" - regenerated VPN client does not block access to the server using previous key
Posted: Thu Nov 23, 2017 6:40 pm
Panel: "OpenVPN Server: Allowed Clients" - regenerated VPN client does not block access to the server using previous key.
Test to reproduce:
1. Create VPN client with name "test", push "Add" button, push "Save Changes". Download OVPN configuration and make sure your connection was established successfully.
2. Remove VPN client with name "test" and push "Save Changes".
3. Create VPN client with name "test" again, push "Add" button, push "Save Changes". And reboot router.
4. When router is up to use, try to connect to VPN using keys created first time. Make sure your connection was established successfully. Furthermore, now you can use both OVPN configurations (first and last one) and they will work.
That is serious issue.
Comparing new OVPN configuration file with OVPN created first time, i can see that <cert></cert> content differs, at: Validity, Modulus, "Subject Key Identifier", "Digital Signature" and CERTIFICATE. Also differs <key></key>.
All other content is the same, including <ca></ca> and <tls-auth></tls-auth>
Test to reproduce:
1. Create VPN client with name "test", push "Add" button, push "Save Changes". Download OVPN configuration and make sure your connection was established successfully.
2. Remove VPN client with name "test" and push "Save Changes".
3. Create VPN client with name "test" again, push "Add" button, push "Save Changes". And reboot router.
4. When router is up to use, try to connect to VPN using keys created first time. Make sure your connection was established successfully. Furthermore, now you can use both OVPN configurations (first and last one) and they will work.
That is serious issue.
Comparing new OVPN configuration file with OVPN created first time, i can see that <cert></cert> content differs, at: Validity, Modulus, "Subject Key Identifier", "Digital Signature" and CERTIFICATE. Also differs <key></key>.
All other content is the same, including <ca></ca> and <tls-auth></tls-auth>