Server Config
port 1194
proto udp
dev tun0
ca /etc/openvpn/certs/ca.crt # the self signed certificate for the CA
cert /etc/openvpn/certs/server.crt # a certificate for the server
key /etc/openvpn/certs/server.key # This file should be kept secret
crl-verify /etc/openvpn/certs/CRL 'dir'
dh /etc/openvpn/certs/dh2048.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
#user nobody
#group nobody
#persist-key
#persist-tun
status openvpn-status.log
;log openvpn.log
log-append /var/log/openvpn
verb 3
explicit-exit-notify 1
# -- the server line will be inserted after this
server 10.8.0.0 255.255.255.0
port 1194
proto udp
dev tun0
ca /etc/openvpn/certs/ca.crt # the self signed certificate for the CA
cert /etc/openvpn/certs/server.crt # a certificate for the server
key /etc/openvpn/certs/server.key # This file should be kept secret
crl-verify /etc/openvpn/certs/CRL 'dir'
dh /etc/openvpn/certs/dh2048.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
status openvpn-status.log
log-append /var/log/openvpn
verb 3
explicit-exit-notify 1
server 10.8.0.0 255.255.255.0
proto udp
dev tun0
ca /etc/openvpn/certs/ca.crt # the self signed certificate for the CA
cert /etc/openvpn/certs/server.crt # a certificate for the server
key /etc/openvpn/certs/server.key # This file should be kept secret
crl-verify /etc/openvpn/certs/CRL 'dir'
dh /etc/openvpn/certs/dh2048.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
#user nobody
#group nobody
#persist-key
#persist-tun
status openvpn-status.log
;log openvpn.log
log-append /var/log/openvpn
verb 3
explicit-exit-notify 1
# -- the server line will be inserted after this
server 10.8.0.0 255.255.255.0
port 1194
proto udp
dev tun0
ca /etc/openvpn/certs/ca.crt # the self signed certificate for the CA
cert /etc/openvpn/certs/server.crt # a certificate for the server
key /etc/openvpn/certs/server.key # This file should be kept secret
crl-verify /etc/openvpn/certs/CRL 'dir'
dh /etc/openvpn/certs/dh2048.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
status openvpn-status.log
log-append /var/log/openvpn
verb 3
explicit-exit-notify 1
server 10.8.0.0 255.255.255.0
Please notice the crl-verify at line: 23. I'm using a CRL directory instead of a crl.pem file. That's because I will have many potential users.
Revocation doesn't seem to work. Although to be more precise:
* establish a connection
* revoke the certificate
* close the connection
* re-establish the connection ==> it reconnects
It isn't clear what should be in the CRL directory. The manual seems to say that a file with a name that is the decimal number of the certificate is what is needed. In the index and serial files, though, hexadecimal numbers are used. I've tried both.
I'm running as root because running as nobody gave me messages that the key, cert, dh, and ca files couldn't be read. I don't understand why that should be -- I thought that the certs are read prior to the transition to nobody.
Help would be greatly appreciated.
Thanks,
Laura