On 26/08/2023 08:58, Bo Berglund wrote:
I tried to use revocation on our company VPN when a few employees left and it seemed to work fine until a week later when it did not work anymore! At that point the VPN stopped working for*everyone*, noone was allowed in at all!!!
What is important to beware of, the Certificate Revocation List (CRL, which tracks which certificates are revoked) contains an EXPIRY DATE. When OpenVPN is configured with CRL and the CRL expires - everyone connecting to the VPN server will be rejected - regardless.
So when you configure CRL, ensure your CRL list gets renewed before its expiry date. Or set an expiry date far enough down the road where it is more likely you will have revoked other users before the next expiry.
For smaller deployments, combining --client-config-dir with--ccd-exclusive might provide a good enough protection *IF* the CN (Common Name) field in each connecting client certificate is unique per client.
-- kind regards, David Sommerseth OpenVPN Inc
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
