container-openvpn/docs/clients.md

# Advanced Client Management

## Client Configuration Mode

The [`ovpn_getclient`](/bin/ovpn_getclient) can produce two different versions of the configuration.

1. combined (default): All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does).
2. separated: Separated files.

Note that some client software might be picky about which configuration format it accepts.

## Client List

See an overview of the configured clients, including revocation and expiration status:

    docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn ovpn_listclients

 The output is generated using `openssl verify`. Error codes from the verification process different from `X509_V_ERR_CERT_HAS_EXPIRED` or `X509_V_ERR_CERT_REVOKED` will show the status `INVALID`.

## Batch Mode

If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script [`ovpn_getclient_all`](/bin/ovpn_getclient_all) was written, which writes out the configuration for each client to a separate directory called `clients/$cn`.

Execute the following to generate the configuration for all clients:

    docker run --rm -it -v $OVPN_DATA:/etc/openvpn --volume /tmp/openvpn_clients:/etc/openvpn/clients kylemanna/openvpn ovpn_getclient_all

After doing so, you will find the following files in each of the `$cn` directories:

    ca.crt
    $cn-combined.ovpn # Combined configuration file format. If your client recognices this file then only this file is needed.
    $cn.ovpn          # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key
    $cn.crt
    $cn.key
    ta.key

## Revoking Client Certificates

Revoke `client1`'s certificate and generate the certificate revocation list (CRL) using [`ovpn_revokeclient`](/bin/ovpn_revokeclient) script :

    docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn ovpn_revokeclient client1

The OpenVPN server will read this change every time a client connects (no need to restart server) and deny clients access using revoked certificates.

You can optionally pass `remove` as second parameter to ovpn_revokeclient to remove the corresponding crt, key and req files :

    docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn ovpn_revokeclient client1 remove
docs: Tweak case and arguments * Makes the reading more uniform with the rest of the documentation. 2015-05-11 17:32:58 +00:00			`# Advanced Client Management`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00
docs: Tweak case and arguments * Makes the reading more uniform with the rest of the documentation. 2015-05-11 17:32:58 +00:00			`## Client Configuration Mode`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 12:22:28 +00:00			The [`ovpn_getclient`](/bin/ovpn_getclient) can produce two different versions of the configuration.
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 12:22:28 +00:00			`1. combined (default): All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does).`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`2. separated: Separated files.`

Fixed spelling. 2015-03-13 01:00:04 +00:00			`Note that some client software might be picky about which configuration format it accepts.`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00
adding ovpn_listclients script 2016-05-11 22:35:00 +00:00			`## Client List`

extended client status for EXPIRED or other errors 2018-09-01 13:40:38 +00:00			`See an overview of the configured clients, including revocation and expiration status:`
adding ovpn_listclients script 2016-05-11 22:35:00 +00:00
misc: Switch from data container to data volume * Use the `docker volume` mechanism. * Less confusing and makes more sense. * Released in ~ docker v1.9 2016-09-03 23:08:49 +00:00			`docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn ovpn_listclients`
adding ovpn_listclients script 2016-05-11 22:35:00 +00:00
extended client status for EXPIRED or other errors 2018-09-01 13:40:38 +00:00			The output is generated using `openssl verify`. Error codes from the verification process different from `X509_V_ERR_CERT_HAS_EXPIRED` or `X509_V_ERR_CERT_REVOKED` will show the status `INVALID`.

docs: Tweak case and arguments * Makes the reading more uniform with the rest of the documentation. 2015-05-11 17:32:58 +00:00			`## Batch Mode`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 12:22:28 +00:00			If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script [`ovpn_getclient_all`](/bin/ovpn_getclient_all) was written, which writes out the configuration for each client to a separate directory called `clients/$cn`.
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00
			`Execute the following to generate the configuration for all clients:`

misc: Switch from data container to data volume * Use the `docker volume` mechanism. * Less confusing and makes more sense. * Released in ~ docker v1.9 2016-09-03 23:08:49 +00:00			`docker run --rm -it -v $OVPN_DATA:/etc/openvpn --volume /tmp/openvpn_clients:/etc/openvpn/clients kylemanna/openvpn ovpn_getclient_all`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00
			After doing so, you will find the following files in each of the `$cn` directories:

			`ca.crt`
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 12:22:28 +00:00			`$cn-combined.ovpn # Combined configuration file format. If your client recognices this file then only this file is needed.`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`$cn.ovpn # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key`
			`$cn.crt`
			`$cn.key`
			`ta.key`
ovpn: Add support for revoking certificates (CRL) * Add this much needed missing feature. Easy RSA makes it... easy. 2015-05-11 17:33:56 +00:00
			`## Revoking Client Certificates`

Update documentation Add ovpn_revokeclient usage to client.md and docker-compose.md 2017-05-02 16:10:12 +00:00			Revoke `client1`'s certificate and generate the certificate revocation list (CRL) using [`ovpn_revokeclient`](/bin/ovpn_revokeclient) script :
ovpn: Add support for revoking certificates (CRL) * Add this much needed missing feature. Easy RSA makes it... easy. 2015-05-11 17:33:56 +00:00
Update documentation Add ovpn_revokeclient usage to client.md and docker-compose.md 2017-05-02 16:10:12 +00:00			`docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn ovpn_revokeclient client1`
ovpn: Add support for revoking certificates (CRL) * Add this much needed missing feature. Easy RSA makes it... easy. 2015-05-11 17:33:56 +00:00
Updated documentation. * Related to https://github.com/kylemanna/docker-openvpn/pull/54 * Allow better syntax highlighting. * Added/Fixed hyperlinks. * Spelling. 2015-08-25 10:40:02 +00:00			`The OpenVPN server will read this change every time a client connects (no need to restart server) and deny clients access using revoked certificates.`
Update documentation Add ovpn_revokeclient usage to client.md and docker-compose.md 2017-05-02 16:10:12 +00:00
			You can optionally pass `remove` as second parameter to ovpn_revokeclient to remove the corresponding crt, key and req files :

			`docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn ovpn_revokeclient client1 remove`