TrueNas OpenVPN Certificate revoke
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 4
- Joined: Fri Jul 09, 2021 10:00 pm
TrueNas OpenVPN Certificate revoke
I have TrueNAS 12 and the OpenVPN service up and running with certificates.
I have certs for each user, thinking that is a User cert became compromised it would be easy to revoke the cert to block vpn access.
Well a users machine was compromised and the cert has possibly copied.
How can I revoke the cert in the TrueNAS server? I cannot find a way that works without having the other 30+ users certs becoming invalid also.
I have certs for each user, thinking that is a User cert became compromised it would be easy to revoke the cert to block vpn access.
Well a users machine was compromised and the cert has possibly copied.
How can I revoke the cert in the TrueNAS server? I cannot find a way that works without having the other 30+ users certs becoming invalid also.
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: TrueNas OpenVPN Certificate revoke
Hi,
Please try TrueNAS support forums.
Please try TrueNAS support forums.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: TrueNas OpenVPN Certificate revoke
Your thinking was quite correct. This is why we recommend against using the --duplicate-cn option; so that any single compromised client can easily be blocked.Catalyph wrote: ↑Sat Jul 10, 2021 4:55 amI have TrueNAS 12 and the OpenVPN service up and running with certificates.
I have certs for each user, thinking that is a User cert became compromised it would be easy to revoke the cert to block vpn access.
Well a users machine was compromised and the cert has possibly copied.
How can I revoke the cert in the TrueNAS server? I cannot find a way that works without having the other 30+ users certs becoming invalid also.
I can't help you with the specifics of your TrueNAS server and (what I suppose is) its integrated CA management utility, but I can explain a bit about the openvpn side of it, and I'll give you other options for access control.
First, the option you need on the server is --crl-verify; this tells openvpn where to find the CRL (certificate revocation list) and what to do with it. Please refer to the manual for all the details. It only works if your CA properly publishes the CRL, of course.
Next, there are a couple of simpler options for server-side access control that do not need to involve the TLS CA nor revocation at all. If you create a --client-config-dir you can --disable a client by making a file with its certificate CN as the filename. For example if you had a client common name of "rob0" and you wanted to get rid of the scoundrel, and your CCD is /etc/openvpn/ccd, just do:
Code: Select all
echo disable > /etc/openvpn/ccd/rob0
My personal favorite also involves using a CCD, but in reverse. With the --ccd-exclusive option set, only clients with files in the CCD (where again, the filename matches the certificate common name) are allowed to connect. This requires a bit of coordination between the server admin and the CA manager, but on any openvpn I have ever run, I was both of those at the same time, so it wasn't a problem. When you create a new client, and the certificate common name is "Catalyph", simply:
Code: Select all
touch /etc/openvpn/ccd/Catalyph
I hope this helps, regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 4
- Joined: Fri Jul 09, 2021 10:00 pm
Re: TrueNas OpenVPN Certificate revoke
Yes, Tried that, Basically a Moderator told me, not their problem go ask OpenVPN as it is a bog standard implementation of OpenVPN (which I don't think it is, otherwise I would not have this issue). Then proceeded to remove the thread that I was trying to demonstrate it was not a standard implementation.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: TrueNas OpenVPN Certificate revoke
According to the TrueNAS documentation, you MUST create your own PKI, so how did you do that ?
https://www.truenas.com/docs/core/services/openvpn/TrueNAS wrote:Before configuring TrueNAS as either an OpenVPN Server or Client, you will need an existing public key infrastructure (PKI) with Certificates and Certificate Authorities created in or imported to TrueNAS.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Fri Jul 09, 2021 10:00 pm
Re: TrueNas OpenVPN Certificate revoke
This was VERY helpful!openvpn_inc wrote: ↑Sat Jul 10, 2021 1:08 pmYour thinking was quite correct. This is why we recommend against using the --duplicate-cn option; so that any single compromised client can easily be blocked.Catalyph wrote: ↑Sat Jul 10, 2021 4:55 amI have TrueNAS 12 and the OpenVPN service up and running with certificates.
I have certs for each user, thinking that is a User cert became compromised it would be easy to revoke the cert to block vpn access.
Well a users machine was compromised and the cert has possibly copied.
How can I revoke the cert in the TrueNAS server? I cannot find a way that works without having the other 30+ users certs becoming invalid also.
I can't help you with the specifics of your TrueNAS server and (what I suppose is) its integrated CA management utility, but I can explain a bit about the openvpn side of it, and I'll give you other options for access control.
First, the option you need on the server is --crl-verify; this tells openvpn where to find the CRL (certificate revocation list) and what to do with it. Please refer to the manual for all the details. It only works if your CA properly publishes the CRL, of course.
Next, there are a couple of simpler options for server-side access control that do not need to involve the TLS CA nor revocation at all. If you create a --client-config-dir you can --disable a client by making a file with its certificate CN as the filename. For example if you had a client common name of "rob0" and you wanted to get rid of the scoundrel, and your CCD is /etc/openvpn/ccd, just do:and you'll never have to put up with that client again (be sure of course to kill any existing connection in the --management interface.)Code: Select all
echo disable > /etc/openvpn/ccd/rob0
My personal favorite also involves using a CCD, but in reverse. With the --ccd-exclusive option set, only clients with files in the CCD (where again, the filename matches the certificate common name) are allowed to connect. This requires a bit of coordination between the server admin and the CA manager, but on any openvpn I have ever run, I was both of those at the same time, so it wasn't a problem. When you create a new client, and the certificate common name is "Catalyph", simply:to enable the new client to connect. And rm(1) is the way to block any user; just delete (or mv/rename) the file.Code: Select all
touch /etc/openvpn/ccd/Catalyph
I hope this helps, regards, rob0
Thanks. I hope you don't mind a few more questions.
In TrueNAS I think they have there own Certificate management, there is a .crl file in the CA directory that TrueNAS uses (/etc/certificates/CA) where do I specify this option --crl-verify and how to I create or modify the current .crl file that is there?
For the --client-config-dir where do I specify this, in the OpenVPN server config file ? or is it an executed option?
--ccd-exclusive - is this specified in the OpenVPN server config file ?
If the CN is the same on all the certificates, is there another option? I like this idea and will change the CN on future Certificates..
I can set the directory to the TrueNAS certificate directory and when a cert is created in TrueNAS it will be in that directory by default and therefore enabled, and I will just need to remove it from that DIR !
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: TrueNas OpenVPN Certificate revoke
That's why we are here!
All of these go either on the openvpn command line or in the server's --config file.Catalyph wrote: ↑Sat Jul 10, 2021 5:50 pmIn TrueNAS I think they have there own Certificate management, there is a .crl file in the CA directory that TrueNAS uses (/etc/certificates/CA) where do I specify this option --crl-verify and how to I create or modify the current .crl file that is there?
For the --client-config-dir where do I specify this, in the OpenVPN server config file ? or is it an executed option?
--ccd-exclusive - is this specified in the OpenVPN server config file ?
Again I know nothing at all about TrueNAS and their certificate management. That is absolutely not an openvpn question. If they (their support desk) don't understand that, I'd worry and consider finding a more competent vendor.
You definitely need to have unique common names for your certificates.
I doubt it works that way. For example with easyrsa, if you have the CA on the server (which is not recommended, BTW) the server does not care about the CA files. It refers to its own --ca certificate, and if a client presents a certificate signed by the same CA, and that certificate is not in the CRL being checked with --crl-verify, the server is happy with it and allows the connection (subject of course to the other access controls discussed upthread, as well as any scripts you might have which could block a client.)
That question goes back again to TrueNAS, sorry.
Glad we could help! Regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support