On Sep 12, 2017, at 5:13 AM, Michael Keuter <li...@mksolutions.info> wrote:

> BTW: Instead of disabling a client in the WebGUI, you could also delete the 
> appropriate key files in "/mnt/kd/openvpn/webinterface/keys/" 
> in case you don't need them anymore.

No Michael, that does not work.  The OpenVPN server does not need the client 
cert/key, but requires the client cert to have been signed by the root OpenVPN 
CA (ca.crt/ca.key).

For reference from the OpenVPN docs:



Ref: https://openvpn.net/index.php/open-source/documentation/howto.html


One solution to limit client access is by using "tls-verify" and a script, 
which we currently do in the Web Interface and "Disable" a client, the 
OVPN_VALIDCLIENTS rc.conf variable is used.


After some testing today, there is an alternate solution by using "crl-verify", 
for example let's revoke "client1":

## Find the client1.crt serial number (in hex)
pbx ~ # openssl x509 -serial -noout -in 
/mnt/kd/openvpn/webinterface/keys/client1.crt 
serial=53C99883

## OpenVPN requires the serial number in decimal, convert from hex
pbx ~ # printf '%d\n' 0x53C99883
1405720707

## Create the "crl" directory
pbx ~ # mkdir /mnt/kd/openvpn/crl

## Create an empty file using the decimal serial number
pbx ~ # touch /mnt/kd/openvpn/crl/1405720707

## Finally, add a raw command to the Network tab -> OpenVPN Server Configuration
## Note: the 'dir' flag indicates /mnt/kd/openvpn/crl is a directory
--
Raw Commands: crl-verify /mnt/kd/openvpn/crl dir
--
## Restart OpenVPN Server

Now every time a client attempts to connect it will check the 
/mnt/kd/openvpn/crl directory for a matching serial number, if there is a 
match, verification fails and you will see this log:
--
VERIFY CRL: certificate serial number 1405720707 is revoked
--

Files in the /mnt/kd/openvpn/crl directory can be added or removed without 
restarting OpenVPN server.

Please test for yourself.

Lonnie

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Reply via email to