OpenVPN server disable and reenable clients

I'm running OpenVPN 2.3.2 (still a newbie at this) in an Ubuntu 14.04 Server machine. I want to be able to disable/reenable clients that connect to my OpenVPN server.

I followed this guide for revoking a client's certificate, but it seems that this move is irreversible. Also, if I revoke a client's certificate, and the client is already connected, the connection does not seem to stop. I want the connection to stop immediately.

Is there any easy way to disable and reenable clients?

My server.conf file:

# OpenVPN server configuration file
dev tun
proto udp
port 1194
server 10.8.0.0 255.255.255.0
ca /usr/share/easy-rsa/keys/ca.crt
cert /usr/share/easy-rsa/keys/vpnserver.crt
key /usr/share/easy-rsa/keys/vpnserver.key
dh /usr/share/easy-rsa/keys/dh2048.pem
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"
comp-lzo
keepalive 10 60
persist-tun
persist-key
user panos
group panos
log-append /var/log/openvpn.log
verb 3
# crl-verify keys/crl.pem

The last line is for the guide above.

Thank you.

panos

Posted 2017-08-27T12:28:33.553

Reputation: 51

Why not assign IP addresses per user and then use iptables to block/allow IP? – davidgo – 2017-08-27T16:42:51.067

I don't know. I think that the solution you suggest is a little bit "dirty". Iptables is something irrelevant than the VPN mechanism. Also if someone has a way to change his IP then he could easily re-connect with the same certificate. – panos – 2017-08-28T18:02:07.217

I'd just point out that I'm suggesting that the IP blocked is the one issued by the VPN server - so - if correctly set up server side the user could not reconnect with the same cert. – davidgo – 2017-08-28T22:25:19.127

Answers

I implemented a solution similar to davidgo's. Unfortunately I faced an openssl error similar to this bug, and it took me a lot of time to find a workaround for this.

I wrote finally two scripts for revoking and unrevoking client certificates:

revoke.sh:

#!/bin/bash

keys_index_file=/usr/share/easy-rsa/keys/index.txt
fileline="$(grep "/CN=$1/" $keys_index_file)"
columns_number="$(echo $fileline | awk -F' ' '{print NF;}')"

if [[ $columns_number -eq 5 ]] && [[ $fileline == V* ]]; then

    source /usr/share/easy-rsa/vars 
    /usr/share/easy-rsa/revoke-full $1

    {
        sleep 3
        echo kill $1
        sleep 3
        echo exit
    } | telnet localhost 7505

    echo "Client certificate revoked successfully."
    exit 0;

elif [[ $columns_number -eq 6 ]] && [[ $fileline == R* ]]; then

    echo "Client certificate is already revoked."
    exit 0;

else

    echo "Error; key index file may be corrupted."
    exit 1;
fi

unrevoke.sh:

#!/bin/bash

keys_index_file=/usr/share/easy-rsa/keys/index.txt
linenumber="$(grep -n "/CN=$1/" $keys_index_file | cut -f1 -d:)"
fileline="$(grep -n "/CN=$1/" $keys_index_file)"
line="$(grep "/CN=$1/" $keys_index_file)"

columns_number="$(echo $line | awk -F' ' '{print NF;}')"
echo $columns_number



if [[ $columns_number -eq 6 ]] && [[ $line == R* ]]; then

    column2="$(echo $fileline | awk '{print $2}')"
    column4="$(echo $fileline | awk '{print $4}')"
    column5="$(echo $fileline | awk '{print $5}')"
    column6="$(echo $fileline | awk '{print $6}')"
    echo -e "V\t$column2\t\t$column4\t$column5\t$column6" >> $keys_index_file
    sed -i "${linenumber}d" $keys_index_file
    cd /usr/share/easy-rsa; source ./vars; openssl ca -gencrl -out "keys/crl.pem" -config "$KEY_CONFIG"

    echo "Certificate unrevoked successfully."
    exit 0;

elif [[ $columns_number -eq 5 ]] && [[ $fileline == V* ]]; then

    echo "Certificate is already unrevoked and active"
    exit 0;

else

    echo "Error; Key index file may be corrupted."
    exit 1;

fi

Note that revoke.sh script also opens a telnet connection with openVPN and kicks out the client to be revoked.

panos

Posted 2017-08-27T12:28:33.553

Reputation: 51

Ignoring the iptables option (which I believe is technically superior), you can revoke and reinstate private keys by modifying the revokation file and reloading openvpn. (If you are using easyRSA you can edit easyRSA/index.txt. Find the appropriate line and change the "R" flag to a "V" flag, remove the third column.) Then

  source ./vars
  openssl ca -gencrl -out "crl.pem" -config "$KEY_CONFIG"

You can reload the opening server to make the new config take effect. This will kick ALL the clients, but they should automatically reconnect and negotiate a new session.

See http://sq4ind.eu/openvpn-revoke-unrevoke-certificates/ for the reference article this solution is based on.

davidgo

Posted 2017-08-27T12:28:33.553

Reputation: 49 152