解决方法
根据
this post,common_name不能被用户伪造.
将其添加到openvpn server.conf中
script-security 2 # untrusted state auth-user-pass-verify /etc/openvpn/scripts/check_cn_on_connect.sh via-env
/etc/openvpn/scripts/check_cn_on_connect.sh包含
#!/bin/bash # username and common_name must be the same to allow access. # users are not allowed to share their cert if [ $username != $common_name ]; then echo "$(date +%Y%m%d-%H%M%S) DENIED username=$username cert=$common_name" >> /var/log/openvpn-access.log exit 1 fi echo "$(date +%Y%m%d-%H%M%S) GRANTED username=$username cert=$common_name" >> /var/log/openvpn-access.log exit 0
更新
这适用于OpenVPN 2.1.4.在2.2.0中,他们添加了许多新变量,您可以通过env>>看到这些变量. / tmp / env,其中一个新变量是证书指纹/序列号.