OpenVPN is great, it allows for easy access in a secure way. But how do you keep it secure? I mean, what if someone leaves your company? Do you disable access to the OpenVPN server? You should! In this blog I’ll show you how to do it.
A feature called revoking exists in OpenVPN. Revoking a certificate means to invalidate a previously signed certificate so that it can no longer be used for authentication purposes. For this to work, we need to tell the OpenVPN server which certificates are no longer valid.
All connecting clients will then have their client certificates verified against the so-called CRL (Certificate Revoking List). Any positive match will result in the connection being dropped. Your former employees will no longer have access, even if they still have their certificates.
Creating a certificate to test with
Before we start, let’s generate a dummy certificate for testing purposes:
cd /etc/openvpn/easy-rsa/2.0/ . ./vars ./build-key unwanted-client-name
Verify you can connect to the OpenVPN server using this certificate. Refer to my earlier post for more info. Now that this works, I’ll show you how to revoke this certificate so you will no longer be able to connect.
Revoking a certificate
To revoke a certificate, we’ll use the ‘easy-rsa’ toolset.
cd /etc/openvpn/easy-rsa/2.0
If it’s not there, look at the OpenVPN examples and copy it:
cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn cd /etc/openvpn/easy-rsa/2.0
Run this command to revoke the certificate called ‘unwanted-client-name’:
./revoke-all unwanted-client-name
You should see output similar to this:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf Revoking Certificate 03. Data Base Updated Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf unwanted-client-name.crt: C = NL, ST = ZH, L = City, O = Name, OU = pi.example.org, CN = unwanted-client-name, name = unwanted-client-name], emailAddress = [email protected] error 23 at 0 depth lookup:certificate revoked
Note the “error 23” in the last line. That is what you want to see, as it indicates that a certificate verification of the revoked certificate failed.
The index.txt file on keys directory will be updated. You’ll see an ‘R’ (for Revoked) on the first column from the left for your user when you run this:
cat keys/index.txt
You can also examine the CRL to see what’s in there:
openssl crl -in keys/crl.pem -text
Now copy the crl.pem file to the OpenVPN config directory:
cp keys/crl.pem /etc/openvpn/
Whenever you revoke a certificate, you’ve to copy it to the OpenVPN server.
Note: The CRL file is not secret, and should be made world-readable so that the OpenVPN daemon can read it after root privileges have been dropped.
Enable revoking support
Before it works, we need to setup the OpenVPN server to add support for revoking certificates. You’ve to do this only once.
Add the folowing line to the OpenVPN server config:
vim /etc/openvpn/server.conf
crl-verify /etc/openvpn/crl.pem
Reload the OpenVPN server to activate the revoke setting:
/etc/init.d/openvpn reload
Testing the revoked certificate
The final test: try to login again using the ‘unwanted-client-name’ certificate. It will not work anymore!
By revoking users, you disallow access to your OpenVPN server for users that previously had access. This should be done as soon as an user no longer needs access, as it is an important security feature.
Remi Bergsma's blog 