Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Can't revoke client access from OpenVPN?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Can't revoke client access from OpenVPN?

FreekFreek Member
edited May 2012 in Help

I'm trying to revoke a user's access to my OpenVPN server by running these two commands:
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/revoke-full client1
But computer says no: http://pastebin.com/XEy9dMec
It seems to be looking for a directory which isn't there (/root/keys) but the question is; why is it looking there?

Thanks!

Comments

  • beardbeard Member
    edited May 2012

    Looking at http://svn.openvpn.net/projects/openvpn/contrib/test/testbranch/easy-rsa/revoke-full

    Ever thought of running the command from the same directory as your keys?

  • FreekFreek Member

    Hi Beard,
    Thanks for the reply.
    Yes, I did. I first did 'cd /etc/openvpn/easy-rsa/2.0/keys' and then the above sequence, same problem.
    revoke-full isn't in /keys..

  • AldryicAldryic Member
    edited May 2012

    cd /etc/openvpn/easy-rsa/2.0/ && . /etc/openvpn/easy-rsa/2.0/revoke-full rick

    Give that a try. It looks like the revoke script wants to be run one directory up from /keys, since it attempted to auto-cd into /root/keys/ when you ran it from /root/.

    Thanked by 1beard
  • FreekFreek Member

    Thanks for the reply, @Aldryic
    Sadly, it gives me the exact same error..

  • yomeroyomero Member
    edited May 2012

    Reading the script, apparently it just executes a couple of openssl commands.

    Also, I think you need to go to the /etc/openvpn/easy-rsa/2.0/ first
    So

    cd /etc/openvpn/easy-rsa/2.0/
    . ./vars
    . ./revoke-full client1

    I am almost sure because probably you are doing the commands from the root folder, and then is tryign to locate the keys stuff at that folder.

    Alsooo.... Dumb question, deleting the key files for this user isn't enough? That must deny the access

  • AldryicAldryic Member

    It gives you -bash: cd: /etc/openvpn/easy-rsa/2.0/keys: No such file or directory?

    Or something different?

  • FreekFreek Member

    @yomero Thanks for the reply.
    I followed your command sequence and this was the output:

    root@bravo:/etc/openvpn/easy-rsa/2.0# . ./revoke-full rick
    Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
    ERROR:Already revoked, serial number 05
    Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
    rick.crt: /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=rick/[email protected]
    error 23 at 0 depth lookup:certificate revoked

    As you can see it says 'Already revoked', but the client still has access to my OpenVPN :S

    @Aldryic Almost. It says '-bash: cd: /etc/openvpn/easy-rsa/2.0/keys/keys: No such file or directory'
    This is the full output it gives me using your command:
    http://pastebin.com/CFmAABTd

  • beardbeard Member

    /etc/init.d/openvpn restart

    Maybe refresh OpenVPN into seeing that rick was revoked

  • AldryicAldryic Member

    @Freek said: @Aldryic Almost. It says '-bash: cd: /etc/openvpn/easy-rsa/2.0/keys/keys: No such file or directory'

    This is the full output it gives me using your command:
    http://pastebin.com/CFmAABTd

    Bleh, looks like it didn't take the first cd into account. Here, try running it as two separate commands:

    cd /etc/openvpn/easy-rsa/2.0/
    ./revoke-full rick

    As you can see from the error, revoke-full tries to append /keys/ to your current directory. So just make sure you're in /etc/openvpn/easy-rsa/2.0/ before you run the revoke-full script.

  • TaylorTaylor Member

    Im sure they have to disconnect for any changes to take affect.

  • FreekFreek Member

    @beard Thanks for the reply. Restarted OpenVPN, rick is still having access.
    @Aldryic Alright, makes sense. I did so, and now also got the 'already revoked error':

    root@bravo:/etc/openvpn/easy-rsa/2.0# cd /etc/openvpn/easy-rsa/2.0/
    root@bravo:/etc/openvpn/easy-rsa/2.0# ./revoke-full rick
    Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
    ERROR:Already revoked, serial number 05
    Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
    rick.crt: /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=rick/[email protected]
    error 23 at 0 depth lookup:certificate revoked

    @Taylor Rick was disconnected when OpenVPN was restarted. He just reconnected without issues :\
    This is really strange!

  • nabonabo Member
    edited May 2012

    @Freek said: Rick was disconnected when OpenVPN was restarted. He just reconnected without issues :\

    This is really strange!

    As the manual says:

    The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory. The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:

    crl-verify crl.pem

    Now all connecting clients will have their client certificates verified against the CRL, and any positive match will result in the connection being dropped.

  • FreekFreek Member

    @nabo Thanks for the reply.
    That did the trick! Rick now no longer has access to my OpenVPN server, thanks!.
    However, I do find it strange that none of the tutorials I've followed mention this. Linode doesn't mention it either:
    https://library.linode.com/networking/openvpn/ubuntu-10.04-lucid#sph_revoking-client-certificates

    Now I have a new question: Suppose I want to give Rick access again. I could delete the crl.pem file, and his old certificate would give him access again. But now suppose I have more clients which I have revoked access. If I then delete the crl.pem file, they will also regain access to my VPN. So how can I easily give Rick back access to my OpenVPN?
    By creating a new certificate? If so, can I still re-use the name rick then?

    Thanks!

  • nabonabo Member

    @Freek said: By creating a new certificate?

    Correct. The crl.pem ist just used to compare with the used certs. If there is a match the auth fails. But as long as you put the new cert not into the file everything is fine.

  • FreekFreek Member

    @nabo I understand, but when creating a new certificate, I have to give a clientname. I suppose I can use rick as name again, as it will create a new certificate and crl.pem will not check for clientnames but just on certificates only, right?
    Thanks

  • yomeroyomero Member

    Hmmm, can't we just delete the keys? :P

  • ValdikSSValdikSS Member

    yomero, no you can't. Keys are only client-side, you can generate it anywhere with your servers' ca.crt and ca.key.
    Freek, if you want to disable access temporary, just make simple shell connect-script and check name in there, if the name is 'rick' then return 1. Client would get AUTH_FAIL.

  • ValdikSSValdikSS Member

    Oh, no, you can do it more simple! Just take a look at ccd-exclusive option.

  • FreekFreek Member

    Thanks for the clarfication, @ValdikSS .
    How exactly does that ccd-exclusive option work? This is the best I could find so far:
    http://forums.openvpn.net/topic8592.html
    Does that mean I just need to create a subdirectory for every client and it will check if the clientname of the ccd directory corresponds with the certificate name?

    Thanks

  • ValdikSSValdikSS Member

    Freek, you should set client-config-dir in config, create this dir and if you don't want to block someone, just don't create any files in this directory. If you want, create a file with a name of a client and write 'disable' there.
    Or you can add ccd-exclusive into config and this reverse the text above: you should create empty file to allow client to connect.
    Sorry for my English.

Sign In or Register to comment.