ovpn: Add support for revoking certificates (CRL)

* Add this much needed missing feature.  Easy RSA makes it... easy.

bin/ovpn_genconfig

@@ -160,6 +160,7 @@ ca $EASYRSA_PKI/ca.crt
 cert $EASYRSA_PKI/issued/${OVPN_CN}.crt
 dh $EASYRSA_PKI/dh.pem
 tls-auth $EASYRSA_PKI/ta.key
+crl-verify $EASYRSA_PKI/crl.pem
 key-direction 0
 keepalive 10 60
 persist-key
@@ -177,6 +178,10 @@ user nobody
 group nogroup
 EOF
 
+
+# Create an empty CRL
+[ ! -f "$EASYRSA_PKI/crl.pem" ] && touch $EASYRSA_PKI/crl.pem
+
 [ -n "$OVPN_CLIENT_TO_CLIENT" ] && echo "client-to-client" >> "$conf"
 [ "$OVPN_DNS" == "1" ] && echo push "dhcp-option DNS 8.8.4.4" >> "$conf"
 [ "$OVPN_DNS" == "1" ] && echo push "dhcp-option DNS 8.8.8.8" >> "$conf"

docs/clients.md

@@ -26,3 +26,12 @@ After doing so, you will find the following files in each of the `$cn` directori
     $cn.crt
     $cn.key
     ta.key
+
+## Revoking Client Certificates
+
+Revoke `client1`'s certificate and generate the certificate revocation list (CRL):
+
+    docker run --rm -it -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn easyrsa revoke client1
+    docker run --rm -it -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn easyrsa gen-crl
+
+The OpenVPN server will read this change everytime a client connects (no need to restart server) and deny clients access using revoked certificates.