How to give only clients with valid client certs an address?

OpenVPN tutorials ranging from configuration to hacks to compilation will be posted here.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
User avatar
catkin
OpenVPN User
Posts: 25
Joined: Wed Aug 03, 2011 5:31 am

How to give only clients with valid client certs an address?

Post by catkin » Fri Sep 11, 2015 4:20 am

Perhaps the question is wrong. After much research I have not found the answer to what I thought is a common requirement. So I may be misunderstanding something obvious.

We are using subnet with static ccd. We want only clients with valid client certificates to be given an address but clients with revoked certificates are given an address.

After revoking a client on the server ...

Code: Select all

client_name=<whatever>
cd /etc/openvpn
. ./vars
./revoke-full $client_name
rm /etc/openvpn/keys/$client_name.*
rm /etc/openvpn/ccd/$client_name
... the client got an address. It was an address which was not in any of the ccd/* files so presumably a free address from the pool. No changes had been made on the client so perhaps its possession of the server's ca.crt and ta.key enabled the address assignment.

How can this behaviour be de-configured?

The answer may be in https://community.openvpn.net/openvpn/w ... Addressing, something to do with ifconfig-pool but IDK if that is the free pool or includes the ccd static addresses.

server.conf:

Code: Select all

ca /etc/openvpn/keys/ca.crt         #Certificates of authority (CAs)
cert /etc/openvpn/keys/server.crt   #Server certificate
client-config-dir ccd               #Directory for client configuration files
client-to-client                    #Allow the VPN clients to see each other
comp-lzo                            #Enable compression
crl-verify /etc/openvpn/crl.pem     #Certificate revocation list
dev tun                             #Use network tunnelling
dh /etc/openvpn/keys/dh1024.pem     #Diffie Hellman parameters
group nogroup                       #After initialisation change group to nogroup
keepalive 10 120                    #Ping clients every 10 s; restart after 120 s no reply
key /etc/openvpn/keys/server.key    #Server key
log-append /var/log/openvpn.log     #The general log
management localhost 7505           #Enable daemon management on port 7505
mssfix 1350                         #Max UDP packet size for each TCP packet in the tunnel
persist-key                         #Don't re-read key files on restart. Required with user nobody
persist-tun                         #Don't re-open tun device on restart. Required with user nobody
port 1194                           #Use port number (default)
proto udp                           #Use UDP protocol
route 10.42.0.0 255.255.255.252     #Add to routing table. Required for static clients. Netmask may not be best
server 10.42.0.0 255.255.0.0        #VPN address range and netmask
status /var/log/openvpn-status.log  #The status log
tls-auth /etc/openvpn/keys/ta.key 0 #TLS key
topology subnet                     #Give each tun device an IP address and netmask
user nobody                         #After initialisation change user to nobody
verb 1                              #Logging verbosity
One client's files on the server:

Code: Select all

root@openvpn.bluelightav:/etc/openvpn# ll keys/*CW9*
-rw-r--r-- 1 root root 3757 Mar  8  2014 keys/CW9.crt
-rw-r--r-- 1 root root  660 Mar  8  2014 keys/CW9.csr
-rw------- 1 root root  951 Mar  8  2014 keys/CW9.key
root@openvpn.bluelightav:/etc/openvpn# cat ccd/CW9
ifconfig-push 10.42.23.119 255.255.0.0

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: How to give only clients with valid client certs an addr

Post by Traffic » Fri Sep 11, 2015 11:22 am

From easyrsa:
Revocation was successful. You must run gen-crl and upload a CRL to your infrastructure in order to prevent the revoked cert from being accepted.
See:
https://github.com/OpenVPN/easy-rsa/blo ... -Readme.md
https://openvpn.net/index.php/open-sour ... tml#revoke

User avatar
catkin
OpenVPN User
Posts: 25
Joined: Wed Aug 03, 2011 5:31 am

Re: How to give only clients with valid client certs an addr

Post by catkin » Sat Sep 12, 2015 9:05 am

Thanks Traffic :)

I read the two linked pages and many more but did not achieve clarity :roll:

Is it correct that, with a server.conf file including ...

Code: Select all

crl-verify /etc/openvpn/crl.pem 
... after every revocation using the procedure shown in the OP, /etc/openvpn/keys/crl.pem should be copied to /etc/openvpn/crl.pem with global read permission?

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: How to give only clients with valid client certs an addr

Post by Traffic » Sat Sep 12, 2015 10:04 am

How else will the server know you have revoked a certificate ?

You only need global read permission if you are dropping privileges on the server.

User avatar
catkin
OpenVPN User
Posts: 25
Joined: Wed Aug 03, 2011 5:31 am

Re: How to give only clients with valid client certs an addr

Post by catkin » Sun Sep 13, 2015 3:31 pm

Thanks again Traffic :)

Got it! The crl.pem is a list of revoked certificates. Having inspected it, it did not seem big enough so I was theorising it was a cryptographic checksum of index.txt where revoked certificates are marked with an R. I now understand the Rs are just a convenience. Enlightenment came from your information followed by running

Code: Select all

openssl crl -in crl.pem -text

Post Reply