On Sep 12, 2017, at 5:13 AM, Michael Keuter <li...@mksolutions.info> wrote:
> BTW: Instead of disabling a client in the WebGUI, you could also delete the
> appropriate key files in "/mnt/kd/openvpn/webinterface/keys/"
> in case you don't need them anymore.
No Michael, that does not work. The OpenVPN server does not need the client
cert/key, but requires the client cert to have been signed by the root OpenVPN
CA (ca.crt/ca.key).
For reference from the OpenVPN docs:
Ref: https://openvpn.net/index.php/open-source/documentation/howto.html
One solution to limit client access is by using "tls-verify" and a script,
which we currently do in the Web Interface and "Disable" a client, the
OVPN_VALIDCLIENTS rc.conf variable is used.
After some testing today, there is an alternate solution by using "crl-verify",
for example let's revoke "client1":
## Find the client1.crt serial number (in hex)
pbx ~ # openssl x509 -serial -noout -in
/mnt/kd/openvpn/webinterface/keys/client1.crt
serial=53C99883
## OpenVPN requires the serial number in decimal, convert from hex
pbx ~ # printf '%d\n' 0x53C99883
1405720707
## Create the "crl" directory
pbx ~ # mkdir /mnt/kd/openvpn/crl
## Create an empty file using the decimal serial number
pbx ~ # touch /mnt/kd/openvpn/crl/1405720707
## Finally, add a raw command to the Network tab -> OpenVPN Server Configuration
## Note: the 'dir' flag indicates /mnt/kd/openvpn/crl is a directory
--
Raw Commands: crl-verify /mnt/kd/openvpn/crl dir
--
## Restart OpenVPN Server
Now every time a client attempts to connect it will check the
/mnt/kd/openvpn/crl directory for a matching serial number, if there is a
match, verification fails and you will see this log:
--
VERIFY CRL: certificate serial number 1405720707 is revoked
--
Files in the /mnt/kd/openvpn/crl directory can be added or removed without
restarting OpenVPN server.
Please test for yourself.
Lonnie
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.