When --duplicate-cn is enabled in OpenVPN, multiple clients can connect using the same Common Name (CN) in their certificates. While this might seem convenient for certain scenarios, it fundamentally breaks the 1:1 mapping between certificates and clients that's central to OpenVPN's security model.
# Example of risky server configuration
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
duplicate-cn # THIS IS THE PROBLEMATIC LINE
keepalive 10 120
cipher AES-256-CBC
Duplicate CNs create several security holes:
- Accountability loss: You can't reliably identify which client performed actions in logs
- Session hijacking: An attacker could terminate legitimate connections by establishing a new one with the same CN
- Auth bypass: Revoking a compromised certificate becomes ineffective when others can still use the same CN
Beyond security, this setting causes operational headaches:
# Log entries become ambiguous
2023-11-15 09:23:45 client1/192.168.1.100:1194 MULTI: primary virtual IP for client1: 10.8.0.2
2023-11-15 09:23:47 client1/192.168.1.101:1194 MULTI: primary virtual IP for client1: 10.8.0.3
# Which "client1" is which?
Instead of --duplicate-cn, consider these alternatives:
# 1. Issue unique certificates per device
./easyrsa build-client-full device123 nopass
./easyrsa build-client-full device456 nopass
# 2. Use client-specific configurations
client-config-dir /etc/openvpn/ccd
# Then in /etc/openvpn/ccd/device123:
ifconfig-push 10.8.0.100 255.255.255.0
If you're in a legacy situation requiring --duplicate-cn, at least implement compensating controls:
# In server.conf
duplicate-cn
client-connect /etc/openvpn/check_mac.sh
# Then check_mac.sh could validate MAC addresses
#!/bin/bash
ALLOWED_MACS="00:1A:2B:3C:4D:5E 00:1A:2B:3C:4D:5F"
if [[ ! " $ALLOWED_MACS " =~ " $ifconfig_pool_remote_ip " ]]; then
exit 1
fi
OpenVPN's --duplicate-cn flag allows multiple clients to connect using the same certificate Common Name (CN). While this might seem convenient for certain deployment scenarios, it fundamentally breaks OpenVPN's default security model where each client should have a unique identity.
When enabled, this option creates several security holes:
# Example of problematic configuration:
duplicate-cn
client-to-client
The combination above is particularly dangerous because:
- Makes client impersonation trivial
- Eliminates individual accountability
- Prevents proper revocation of compromised certificates
- Breaks security audits that rely on unique CNs
Beyond security, operational issues emerge:
# Monitoring becomes problematic when multiple clients share CN
log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
System administrators lose the ability to:
- Track individual client connections
- Apply granular bandwidth controls
- Implement proper QoS policies
- Troubleshoot network issues effectively
Instead of using --duplicate-cn, consider these approaches:
Option 1: Unique Certificates per Device
# Generate unique certificates for each client
./easyrsa build-client-full device1 nopass
./easyrsa build-client-full device2 nopass
Option 2: Certificate Group Authentication
# Use TLS groups with different certs sharing permissions
tls-auth /etc/openvpn/ta.key 0
tls-crypt /etc/openvpn/tc.key
Here's a secure server configuration alternative:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
Notice the absence of duplicate-cn while maintaining all necessary security parameters.
The only semi-valid use case might be:
- Temporary testing environments
- Extremely controlled lab setups
- Legacy systems where certificate rotation isn't possible
Even in these cases, consider adding compensating controls:
# If you must use it, add these restrictions:
client-config-dir /etc/openvpn/ccd
script-security 2
auth-user-pass-verify /etc/openvpn/checkuser.sh via-env