We are using subnet with static ccd. We want only clients with valid client certificates to be given an address but clients with revoked certificates are given an address.
After revoking a client on the server ...
Code: Select all
client_name=<whatever>
cd /etc/openvpn
. ./vars
./revoke-full $client_name
rm /etc/openvpn/keys/$client_name.*
rm /etc/openvpn/ccd/$client_name
How can this behaviour be de-configured?
The answer may be in https://community.openvpn.net/openvpn/w ... Addressing, something to do with ifconfig-pool but IDK if that is the free pool or includes the ccd static addresses.
server.conf:
Code: Select all
ca /etc/openvpn/keys/ca.crt #Certificates of authority (CAs)
cert /etc/openvpn/keys/server.crt #Server certificate
client-config-dir ccd #Directory for client configuration files
client-to-client #Allow the VPN clients to see each other
comp-lzo #Enable compression
crl-verify /etc/openvpn/crl.pem #Certificate revocation list
dev tun #Use network tunnelling
dh /etc/openvpn/keys/dh1024.pem #Diffie Hellman parameters
group nogroup #After initialisation change group to nogroup
keepalive 10 120 #Ping clients every 10 s; restart after 120 s no reply
key /etc/openvpn/keys/server.key #Server key
log-append /var/log/openvpn.log #The general log
management localhost 7505 #Enable daemon management on port 7505
mssfix 1350 #Max UDP packet size for each TCP packet in the tunnel
persist-key #Don't re-read key files on restart. Required with user nobody
persist-tun #Don't re-open tun device on restart. Required with user nobody
port 1194 #Use port number (default)
proto udp #Use UDP protocol
route 10.42.0.0 255.255.255.252 #Add to routing table. Required for static clients. Netmask may not be best
server 10.42.0.0 255.255.0.0 #VPN address range and netmask
status /var/log/openvpn-status.log #The status log
tls-auth /etc/openvpn/keys/ta.key 0 #TLS key
topology subnet #Give each tun device an IP address and netmask
user nobody #After initialisation change user to nobody
verb 1 #Logging verbosity
Code: Select all
root@openvpn.bluelightav:/etc/openvpn# ll keys/*CW9*
-rw-r--r-- 1 root root 3757 Mar 8 2014 keys/CW9.crt
-rw-r--r-- 1 root root 660 Mar 8 2014 keys/CW9.csr
-rw------- 1 root root 951 Mar 8 2014 keys/CW9.key
root@openvpn.bluelightav:/etc/openvpn# cat ccd/CW9
ifconfig-push 10.42.23.119 255.255.0.0