From 5021bad5974eab013dd18db5d79ff2dea75c1680 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Mon, 11 May 2015 10:33:56 -0700 Subject: [PATCH] ovpn: Add support for revoking certificates (CRL) * Add this much needed missing feature. Easy RSA makes it... easy. --- bin/ovpn_genconfig | 5 +++++ docs/clients.md | 9 +++++++++ 2 files changed, 14 insertions(+) diff --git a/bin/ovpn_genconfig b/bin/ovpn_genconfig index 2a2a649..f4f7f32 100755 --- a/bin/ovpn_genconfig +++ b/bin/ovpn_genconfig @@ -160,6 +160,7 @@ ca $EASYRSA_PKI/ca.crt cert $EASYRSA_PKI/issued/${OVPN_CN}.crt dh $EASYRSA_PKI/dh.pem tls-auth $EASYRSA_PKI/ta.key +crl-verify $EASYRSA_PKI/crl.pem key-direction 0 keepalive 10 60 persist-key @@ -177,6 +178,10 @@ user nobody group nogroup EOF + +# Create an empty CRL +[ ! -f "$EASYRSA_PKI/crl.pem" ] && touch $EASYRSA_PKI/crl.pem + [ -n "$OVPN_CLIENT_TO_CLIENT" ] && echo "client-to-client" >> "$conf" [ "$OVPN_DNS" == "1" ] && echo push "dhcp-option DNS 8.8.4.4" >> "$conf" [ "$OVPN_DNS" == "1" ] && echo push "dhcp-option DNS 8.8.8.8" >> "$conf" diff --git a/docs/clients.md b/docs/clients.md index 6cc234e..15d56e7 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -26,3 +26,12 @@ After doing so, you will find the following files in each of the `$cn` directori $cn.crt $cn.key ta.key + +## Revoking Client Certificates + +Revoke `client1`'s certificate and generate the certificate revocation list (CRL): + + docker run --rm -it -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn easyrsa revoke client1 + docker run --rm -it -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn easyrsa gen-crl + +The OpenVPN server will read this change everytime a client connects (no need to restart server) and deny clients access using revoked certificates. \ No newline at end of file