TrueNas OpenVPN Certificate revoke

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
Catalyph
OpenVpn Newbie
Posts: 4
Joined: Fri Jul 09, 2021 10:00 pm

TrueNas OpenVPN Certificate revoke

Post by Catalyph » Sat Jul 10, 2021 4:55 am

I have TrueNAS 12 and the OpenVPN service up and running with certificates.

I have certs for each user, thinking that is a User cert became compromised it would be easy to revoke the cert to block vpn access.
Well a users machine was compromised and the cert has possibly copied.

How can I revoke the cert in the TrueNAS server? I cannot find a way that works without having the other 30+ users certs becoming invalid also.

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: TrueNas OpenVPN Certificate revoke

Post by Pippin » Sat Jul 10, 2021 12:48 pm

Hi,

Please try TrueNAS support forums.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: TrueNas OpenVPN Certificate revoke

Post by openvpn_inc » Sat Jul 10, 2021 1:08 pm

Catalyph wrote:
Sat Jul 10, 2021 4:55 am
I have TrueNAS 12 and the OpenVPN service up and running with certificates.

I have certs for each user, thinking that is a User cert became compromised it would be easy to revoke the cert to block vpn access.
Well a users machine was compromised and the cert has possibly copied.

How can I revoke the cert in the TrueNAS server? I cannot find a way that works without having the other 30+ users certs becoming invalid also.
Your thinking was quite correct. This is why we recommend against using the --duplicate-cn option; so that any single compromised client can easily be blocked.

I can't help you with the specifics of your TrueNAS server and (what I suppose is) its integrated CA management utility, but I can explain a bit about the openvpn side of it, and I'll give you other options for access control.

First, the option you need on the server is --crl-verify; this tells openvpn where to find the CRL (certificate revocation list) and what to do with it. Please refer to the manual for all the details. It only works if your CA properly publishes the CRL, of course.

Next, there are a couple of simpler options for server-side access control that do not need to involve the TLS CA nor revocation at all. If you create a --client-config-dir you can --disable a client by making a file with its certificate CN as the filename. For example if you had a client common name of "rob0" and you wanted to get rid of the scoundrel, and your CCD is /etc/openvpn/ccd, just do:

Code: Select all

echo disable >  /etc/openvpn/ccd/rob0
and you'll never have to put up with that client again (be sure of course to kill any existing connection in the --management interface.)

My personal favorite also involves using a CCD, but in reverse. With the --ccd-exclusive option set, only clients with files in the CCD (where again, the filename matches the certificate common name) are allowed to connect. This requires a bit of coordination between the server admin and the CA manager, but on any openvpn I have ever run, I was both of those at the same time, so it wasn't a problem. :) When you create a new client, and the certificate common name is "Catalyph", simply:

Code: Select all

touch /etc/openvpn/ccd/Catalyph
to enable the new client to connect. And rm(1) is the way to block any user; just delete (or mv/rename) the file.

I hope this helps, regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Catalyph
OpenVpn Newbie
Posts: 4
Joined: Fri Jul 09, 2021 10:00 pm

Re: TrueNas OpenVPN Certificate revoke

Post by Catalyph » Sat Jul 10, 2021 5:31 pm

Pippin wrote:
Sat Jul 10, 2021 12:48 pm
Hi,

Please try TrueNAS support forums.
Yes, Tried that, Basically a Moderator told me, not their problem go ask OpenVPN as it is a bog standard implementation of OpenVPN (which I don't think it is, otherwise I would not have this issue). Then proceeded to remove the thread that I was trying to demonstrate it was not a standard implementation.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TrueNas OpenVPN Certificate revoke

Post by TinCanTech » Sat Jul 10, 2021 5:44 pm

According to the TrueNAS documentation, you MUST create your own PKI, so how did you do that ?
TrueNAS wrote:Before configuring TrueNAS as either an OpenVPN Server or Client, you will need an existing public key infrastructure (PKI) with Certificates and Certificate Authorities created in or imported to TrueNAS.
https://www.truenas.com/docs/core/services/openvpn/

Catalyph
OpenVpn Newbie
Posts: 4
Joined: Fri Jul 09, 2021 10:00 pm

Re: TrueNas OpenVPN Certificate revoke

Post by Catalyph » Sat Jul 10, 2021 5:50 pm

openvpn_inc wrote:
Sat Jul 10, 2021 1:08 pm
Catalyph wrote:
Sat Jul 10, 2021 4:55 am
I have TrueNAS 12 and the OpenVPN service up and running with certificates.

I have certs for each user, thinking that is a User cert became compromised it would be easy to revoke the cert to block vpn access.
Well a users machine was compromised and the cert has possibly copied.

How can I revoke the cert in the TrueNAS server? I cannot find a way that works without having the other 30+ users certs becoming invalid also.
Your thinking was quite correct. This is why we recommend against using the --duplicate-cn option; so that any single compromised client can easily be blocked.

I can't help you with the specifics of your TrueNAS server and (what I suppose is) its integrated CA management utility, but I can explain a bit about the openvpn side of it, and I'll give you other options for access control.

First, the option you need on the server is --crl-verify; this tells openvpn where to find the CRL (certificate revocation list) and what to do with it. Please refer to the manual for all the details. It only works if your CA properly publishes the CRL, of course.

Next, there are a couple of simpler options for server-side access control that do not need to involve the TLS CA nor revocation at all. If you create a --client-config-dir you can --disable a client by making a file with its certificate CN as the filename. For example if you had a client common name of "rob0" and you wanted to get rid of the scoundrel, and your CCD is /etc/openvpn/ccd, just do:

Code: Select all

echo disable >  /etc/openvpn/ccd/rob0
and you'll never have to put up with that client again (be sure of course to kill any existing connection in the --management interface.)

My personal favorite also involves using a CCD, but in reverse. With the --ccd-exclusive option set, only clients with files in the CCD (where again, the filename matches the certificate common name) are allowed to connect. This requires a bit of coordination between the server admin and the CA manager, but on any openvpn I have ever run, I was both of those at the same time, so it wasn't a problem. :) When you create a new client, and the certificate common name is "Catalyph", simply:

Code: Select all

touch /etc/openvpn/ccd/Catalyph
to enable the new client to connect. And rm(1) is the way to block any user; just delete (or mv/rename) the file.

I hope this helps, regards, rob0
This was VERY helpful!
Thanks. I hope you don't mind a few more questions.

In TrueNAS I think they have there own Certificate management, there is a .crl file in the CA directory that TrueNAS uses (/etc/certificates/CA) where do I specify this option --crl-verify and how to I create or modify the current .crl file that is there?


For the --client-config-dir where do I specify this, in the OpenVPN server config file ? or is it an executed option?

--ccd-exclusive - is this specified in the OpenVPN server config file ?
If the CN is the same on all the certificates, is there another option? I like this idea and will change the CN on future Certificates..
I can set the directory to the TrueNAS certificate directory and when a cert is created in TrueNAS it will be in that directory by default and therefore enabled, and I will just need to remove it from that DIR !

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: TrueNas OpenVPN Certificate revoke

Post by openvpn_inc » Sun Jul 11, 2021 1:03 pm

Catalyph wrote:
Sat Jul 10, 2021 5:50 pm
This was VERY helpful!
Thanks. I hope you don't mind a few more questions.
That's why we are here!
Catalyph wrote:
Sat Jul 10, 2021 5:50 pm
In TrueNAS I think they have there own Certificate management, there is a .crl file in the CA directory that TrueNAS uses (/etc/certificates/CA) where do I specify this option --crl-verify and how to I create or modify the current .crl file that is there?

For the --client-config-dir where do I specify this, in the OpenVPN server config file ? or is it an executed option?

--ccd-exclusive - is this specified in the OpenVPN server config file ?
All of these go either on the openvpn command line or in the server's --config file.

Again I know nothing at all about TrueNAS and their certificate management. That is absolutely not an openvpn question. If they (their support desk) don't understand that, I'd worry and consider finding a more competent vendor.
Catalyph wrote:
Sat Jul 10, 2021 5:50 pm
If the CN is the same on all the certificates, is there another option? I like this idea and will change the CN on future Certificates..
You definitely need to have unique common names for your certificates.
Catalyph wrote:
Sat Jul 10, 2021 5:50 pm
I can set the directory to the TrueNAS certificate directory and when a cert is created in TrueNAS it will be in that directory by default and therefore enabled, and I will just need to remove it from that DIR !
I doubt it works that way. For example with easyrsa, if you have the CA on the server (which is not recommended, BTW) the server does not care about the CA files. It refers to its own --ca certificate, and if a client presents a certificate signed by the same CA, and that certificate is not in the CRL being checked with --crl-verify, the server is happy with it and allows the connection (subject of course to the other access controls discussed upthread, as well as any scripts you might have which could block a client.)

That question goes back again to TrueNAS, sorry.

Glad we could help! Regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply