diff --git a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml
index 187421757..01435ba2f 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml
@@ -271,8 +271,8 @@
instance.strictusercn
- checkbox
-
+ dropdown
+
When authenticating users, enforce a match between the Common Name of the client certificate and the username given at login.
diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml
index 931cdfc23..5875edd99 100644
--- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml
@@ -293,9 +293,14 @@
0Y
-
- 0
+ Y
+ 0
+
+ No
+ Yes
+ Yes (case insensitive)
+
diff --git a/src/opnsense/scripts/openvpn/user_pass_verify.php b/src/opnsense/scripts/openvpn/user_pass_verify.php
index d3e4756d0..dfd731401 100755
--- a/src/opnsense/scripts/openvpn/user_pass_verify.php
+++ b/src/opnsense/scripts/openvpn/user_pass_verify.php
@@ -96,11 +96,14 @@ function do_auth($common_name, $serverid, $method, $auth_file)
if ($a_server == null) {
return "OpenVPN '$serverid' was not found. Denying authentication for user {$username}";
} elseif (!empty($a_server['strictusercn']) && $username != $common_name) {
- return sprintf(
- "Username does not match certificate common name (%s != %s), access denied.",
- $username,
- $common_name
- );
+ // only ignore case when explicitly set (strictusercn=2)
+ if (!($a_server['strictusercn'] == 2 && strtolower($username) == strtolower($common_name))) {
+ return sprintf(
+ "Username does not match certificate common name (%s != %s), access denied.",
+ $username,
+ $common_name
+ );
+ }
} elseif (empty($a_server['authmode'])) {
return 'No authentication server has been selected to authenticate against. ' .
"Denying authentication for user {$username}";