New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Can't revoke client access from OpenVPN?
I'm trying to revoke a user's access to my OpenVPN server by running these two commands:
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/revoke-full client1
But computer says no: http://pastebin.com/XEy9dMec
It seems to be looking for a directory which isn't there (/root/keys) but the question is; why is it looking there?
Thanks!
Comments
Looking at http://svn.openvpn.net/projects/openvpn/contrib/test/testbranch/easy-rsa/revoke-full
Ever thought of running the command from the same directory as your keys?
Hi Beard,
Thanks for the reply.
Yes, I did. I first did 'cd /etc/openvpn/easy-rsa/2.0/keys' and then the above sequence, same problem.
revoke-full isn't in /keys..
cd /etc/openvpn/easy-rsa/2.0/ && . /etc/openvpn/easy-rsa/2.0/revoke-full rick
Give that a try. It looks like the revoke script wants to be run one directory up from /keys, since it attempted to auto-cd into /root/keys/ when you ran it from /root/.
Thanks for the reply, @Aldryic
Sadly, it gives me the exact same error..
Reading the script, apparently it just executes a couple of openssl commands.
Also, I think you need to go to the /etc/openvpn/easy-rsa/2.0/ first
So
cd /etc/openvpn/easy-rsa/2.0/
. ./vars
. ./revoke-full client1
I am almost sure because probably you are doing the commands from the root folder, and then is tryign to locate the keys stuff at that folder.
Alsooo.... Dumb question, deleting the key files for this user isn't enough? That must deny the access
It gives you
-bash: cd: /etc/openvpn/easy-rsa/2.0/keys: No such file or directory
?Or something different?
@yomero Thanks for the reply.
I followed your command sequence and this was the output:
root@bravo:/etc/openvpn/easy-rsa/2.0# . ./revoke-full rick
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
ERROR:Already revoked, serial number 05
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
rick.crt: /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=rick/[email protected]
error 23 at 0 depth lookup:certificate revoked
As you can see it says 'Already revoked', but the client still has access to my OpenVPN :S
@Aldryic Almost. It says '-bash: cd: /etc/openvpn/easy-rsa/2.0/keys/keys: No such file or directory'
This is the full output it gives me using your command:
http://pastebin.com/CFmAABTd
/etc/init.d/openvpn restart
Maybe refresh OpenVPN into seeing that rick was revoked
This is the full output it gives me using your command:
http://pastebin.com/CFmAABTd
Bleh, looks like it didn't take the first cd into account. Here, try running it as two separate commands:
cd /etc/openvpn/easy-rsa/2.0/
./revoke-full rick
As you can see from the error,
revoke-full
tries to append/keys/
to your current directory. So just make sure you're in/etc/openvpn/easy-rsa/2.0/
before you run therevoke-full
script.Im sure they have to disconnect for any changes to take affect.
@beard Thanks for the reply. Restarted OpenVPN, rick is still having access.
@Aldryic Alright, makes sense. I did so, and now also got the 'already revoked error':
root@bravo:/etc/openvpn/easy-rsa/2.0# cd /etc/openvpn/easy-rsa/2.0/
root@bravo:/etc/openvpn/easy-rsa/2.0# ./revoke-full rick
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
ERROR:Already revoked, serial number 05
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
rick.crt: /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=rick/[email protected]
error 23 at 0 depth lookup:certificate revoked
@Taylor Rick was disconnected when OpenVPN was restarted. He just reconnected without issues
This is really strange!
This is really strange!
As the manual says:
@nabo Thanks for the reply.
That did the trick! Rick now no longer has access to my OpenVPN server, thanks!.
However, I do find it strange that none of the tutorials I've followed mention this. Linode doesn't mention it either:
https://library.linode.com/networking/openvpn/ubuntu-10.04-lucid#sph_revoking-client-certificates
Now I have a new question: Suppose I want to give Rick access again. I could delete the crl.pem file, and his old certificate would give him access again. But now suppose I have more clients which I have revoked access. If I then delete the crl.pem file, they will also regain access to my VPN. So how can I easily give Rick back access to my OpenVPN?
By creating a new certificate? If so, can I still re-use the name rick then?
Thanks!
Correct. The
crl.pem
ist just used to compare with the used certs. If there is a match the auth fails. But as long as you put the new cert not into the file everything is fine.@nabo I understand, but when creating a new certificate, I have to give a clientname. I suppose I can use rick as name again, as it will create a new certificate and crl.pem will not check for clientnames but just on certificates only, right?
Thanks
Hmmm, can't we just delete the keys? :P
yomero, no you can't. Keys are only client-side, you can generate it anywhere with your servers' ca.crt and ca.key.
Freek, if you want to disable access temporary, just make simple shell connect-script and check name in there, if the name is 'rick' then return 1. Client would get AUTH_FAIL.
Oh, no, you can do it more simple! Just take a look at ccd-exclusive option.
Thanks for the clarfication, @ValdikSS .
How exactly does that ccd-exclusive option work? This is the best I could find so far:
http://forums.openvpn.net/topic8592.html
Does that mean I just need to create a subdirectory for every client and it will check if the clientname of the ccd directory corresponds with the certificate name?
Thanks
Freek, you should set client-config-dir in config, create this dir and if you don't want to block someone, just don't create any files in this directory. If you want, create a file with a name of a client and write 'disable' there.
Or you can add ccd-exclusive into config and this reverse the text above: you should create empty file to allow client to connect.
Sorry for my English.