How to give only clients with valid client certs an address?
Posted: Fri Sep 11, 2015 4:20 am
Perhaps the question is wrong. After much research I have not found the answer to what I thought is a common requirement. So I may be misunderstanding something obvious.
We are using subnet with static ccd. We want only clients with valid client certificates to be given an address but clients with revoked certificates are given an address.
After revoking a client on the server ...
... the client got an address. It was an address which was not in any of the ccd/* files so presumably a free address from the pool. No changes had been made on the client so perhaps its possession of the server's ca.crt and ta.key enabled the address assignment.
How can this behaviour be de-configured?
The answer may be in https://community.openvpn.net/openvpn/w ... Addressing, something to do with ifconfig-pool but IDK if that is the free pool or includes the ccd static addresses.
server.conf:
One client's files on the server:
We are using subnet with static ccd. We want only clients with valid client certificates to be given an address but clients with revoked certificates are given an address.
After revoking a client on the server ...
Code: Select all
client_name=<whatever>
cd /etc/openvpn
. ./vars
./revoke-full $client_name
rm /etc/openvpn/keys/$client_name.*
rm /etc/openvpn/ccd/$client_name
How can this behaviour be de-configured?
The answer may be in https://community.openvpn.net/openvpn/w ... Addressing, something to do with ifconfig-pool but IDK if that is the free pool or includes the ccd static addresses.
server.conf:
Code: Select all
ca /etc/openvpn/keys/ca.crt #Certificates of authority (CAs)
cert /etc/openvpn/keys/server.crt #Server certificate
client-config-dir ccd #Directory for client configuration files
client-to-client #Allow the VPN clients to see each other
comp-lzo #Enable compression
crl-verify /etc/openvpn/crl.pem #Certificate revocation list
dev tun #Use network tunnelling
dh /etc/openvpn/keys/dh1024.pem #Diffie Hellman parameters
group nogroup #After initialisation change group to nogroup
keepalive 10 120 #Ping clients every 10 s; restart after 120 s no reply
key /etc/openvpn/keys/server.key #Server key
log-append /var/log/openvpn.log #The general log
management localhost 7505 #Enable daemon management on port 7505
mssfix 1350 #Max UDP packet size for each TCP packet in the tunnel
persist-key #Don't re-read key files on restart. Required with user nobody
persist-tun #Don't re-open tun device on restart. Required with user nobody
port 1194 #Use port number (default)
proto udp #Use UDP protocol
route 10.42.0.0 255.255.255.252 #Add to routing table. Required for static clients. Netmask may not be best
server 10.42.0.0 255.255.0.0 #VPN address range and netmask
status /var/log/openvpn-status.log #The status log
tls-auth /etc/openvpn/keys/ta.key 0 #TLS key
topology subnet #Give each tun device an IP address and netmask
user nobody #After initialisation change user to nobody
verb 1 #Logging verbosity
Code: Select all
root@openvpn.bluelightav:/etc/openvpn# ll keys/*CW9*
-rw-r--r-- 1 root root 3757 Mar 8 2014 keys/CW9.crt
-rw-r--r-- 1 root root 660 Mar 8 2014 keys/CW9.csr
-rw------- 1 root root 951 Mar 8 2014 keys/CW9.key
root@openvpn.bluelightav:/etc/openvpn# cat ccd/CW9
ifconfig-push 10.42.23.119 255.255.0.0