OpenVPN Support Forum

Posted: **Sat Jul 10, 2021 4:55 am**

I have TrueNAS 12 and the OpenVPN service up and running with certificates.

I have certs for each user, thinking that is a User cert became compromised it would be easy to revoke the cert to block vpn access.
Well a users machine was compromised and the cert has possibly copied.

How can I revoke the cert in the TrueNAS server? I cannot find a way that works without having the other 30+ users certs becoming invalid also.

Posted: **Sat Jul 10, 2021 12:48 pm**

Hi,

Please try TrueNAS support forums.

Posted: **Sat Jul 10, 2021 1:08 pm**

Catalyph wrote: ↑
Sat Jul 10, 2021 4:55 am
I have TrueNAS 12 and the OpenVPN service up and running with certificates.

I have certs for each user, thinking that is a User cert became compromised it would be easy to revoke the cert to block vpn access.
Well a users machine was compromised and the cert has possibly copied.

How can I revoke the cert in the TrueNAS server? I cannot find a way that works without having the other 30+ users certs becoming invalid also.

Your thinking was quite correct. This is why we recommend against using the --duplicate-cn option; so that any single compromised client can easily be blocked.

I can't help you with the specifics of your TrueNAS server and (what I suppose is) its integrated CA management utility, but I can explain a bit about the openvpn side of it, and I'll give you other options for access control.

First, the option you need on the server is --crl-verify; this tells openvpn where to find the CRL (certificate revocation list) and what to do with it. Please refer to the manual for all the details. It only works if your CA properly publishes the CRL, of course.

Next, there are a couple of simpler options for server-side access control that do not need to involve the TLS CA nor revocation at all. If you create a --client-config-dir you can --disable a client by making a file with its certificate CN as the filename. For example if you had a client common name of "rob0" and you wanted to get rid of the scoundrel, and your CCD is /etc/openvpn/ccd, just do:

Code: Select all

echo disable >  /etc/openvpn/ccd/rob0

and you'll never have to put up with that client again (be sure of course to kill any existing connection in the --management interface.)

My personal favorite also involves using a CCD, but in reverse. With the --ccd-exclusive option set, only clients with files in the CCD (where again, the filename matches the certificate common name) are allowed to connect. This requires a bit of coordination between the server admin and the CA manager, but on any openvpn I have ever run, I was both of those at the same time, so it wasn't a problem.

When you create a new client, and the certificate common name is "Catalyph", simply:

Code: Select all

touch /etc/openvpn/ccd/Catalyph

to enable the new client to connect. And rm(1) is the way to block any user; just delete (or mv/rename) the file.

I hope this helps, regards, rob0

Posted: **Sat Jul 10, 2021 5:31 pm**

Pippin wrote: ↑
Sat Jul 10, 2021 12:48 pm
Hi,

Please try TrueNAS support forums.

Yes, Tried that, Basically a Moderator told me, not their problem go ask OpenVPN as it is a bog standard implementation of OpenVPN (which I don't think it is, otherwise I would not have this issue). Then proceeded to remove the thread that I was trying to demonstrate it was not a standard implementation.

Posted: **Sat Jul 10, 2021 5:44 pm**

According to the TrueNAS documentation, you MUST create your own PKI, so how did you do that ?

TrueNAS wrote:Before configuring TrueNAS as either an OpenVPN Server or Client, you will need an existing public key infrastructure (PKI) with Certificates and Certificate Authorities created in or imported to TrueNAS.

https://www.truenas.com/docs/core/services/openvpn/

Posted: **Sat Jul 10, 2021 5:50 pm**

openvpn_inc wrote: ↑
Sat Jul 10, 2021 1:08 pm

Catalyph wrote: ↑
Sat Jul 10, 2021 4:55 am
I have TrueNAS 12 and the OpenVPN service up and running with certificates.

I have certs for each user, thinking that is a User cert became compromised it would be easy to revoke the cert to block vpn access.
Well a users machine was compromised and the cert has possibly copied.

How can I revoke the cert in the TrueNAS server? I cannot find a way that works without having the other 30+ users certs becoming invalid also.
Your thinking was quite correct. This is why we recommend against using the --duplicate-cn option; so that any single compromised client can easily be blocked.

I can't help you with the specifics of your TrueNAS server and (what I suppose is) its integrated CA management utility, but I can explain a bit about the openvpn side of it, and I'll give you other options for access control.

First, the option you need on the server is --crl-verify; this tells openvpn where to find the CRL (certificate revocation list) and what to do with it. Please refer to the manual for all the details. It only works if your CA properly publishes the CRL, of course.

Next, there are a couple of simpler options for server-side access control that do not need to involve the TLS CA nor revocation at all. If you create a --client-config-dir you can --disable a client by making a file with its certificate CN as the filename. For example if you had a client common name of "rob0" and you wanted to get rid of the scoundrel, and your CCD is /etc/openvpn/ccd, just do:
Code: Select all
echo disable >  /etc/openvpn/ccd/rob0
and you'll never have to put up with that client again (be sure of course to kill any existing connection in the --management interface.)

My personal favorite also involves using a CCD, but in reverse. With the --ccd-exclusive option set, only clients with files in the CCD (where again, the filename matches the certificate common name) are allowed to connect. This requires a bit of coordination between the server admin and the CA manager, but on any openvpn I have ever run, I was both of those at the same time, so it wasn't a problem. When you create a new client, and the certificate common name is "Catalyph", simply:
Code: Select all
touch /etc/openvpn/ccd/Catalyph
to enable the new client to connect. And rm(1) is the way to block any user; just delete (or mv/rename) the file.

I hope this helps, regards, rob0

This was VERY helpful!
Thanks. I hope you don't mind a few more questions.

In TrueNAS I think they have there own Certificate management, there is a .crl file in the CA directory that TrueNAS uses (/etc/certificates/CA) where do I specify this option --crl-verify and how to I create or modify the current .crl file that is there?

For the --client-config-dir where do I specify this, in the OpenVPN server config file ? or is it an executed option?

--ccd-exclusive - is this specified in the OpenVPN server config file ?
If the CN is the same on all the certificates, is there another option? I like this idea and will change the CN on future Certificates..
I can set the directory to the TrueNAS certificate directory and when a cert is created in TrueNAS it will be in that directory by default and therefore enabled, and I will just need to remove it from that DIR !

Posted: **Sun Jul 11, 2021 1:03 pm**

Catalyph wrote: ↑
Sat Jul 10, 2021 5:50 pm
This was VERY helpful!
Thanks. I hope you don't mind a few more questions.

That's why we are here!

Catalyph wrote: ↑
Sat Jul 10, 2021 5:50 pm
In TrueNAS I think they have there own Certificate management, there is a .crl file in the CA directory that TrueNAS uses (/etc/certificates/CA) where do I specify this option --crl-verify and how to I create or modify the current .crl file that is there?

For the --client-config-dir where do I specify this, in the OpenVPN server config file ? or is it an executed option?

--ccd-exclusive - is this specified in the OpenVPN server config file ?

All of these go either on the openvpn command line or in the server's --config file.

Again I know nothing at all about TrueNAS and their certificate management. That is absolutely not an openvpn question. If they (their support desk) don't understand that, I'd worry and consider finding a more competent vendor.

Catalyph wrote: ↑
Sat Jul 10, 2021 5:50 pm
If the CN is the same on all the certificates, is there another option? I like this idea and will change the CN on future Certificates..

You definitely need to have unique common names for your certificates.

Catalyph wrote: ↑
Sat Jul 10, 2021 5:50 pm
I can set the directory to the TrueNAS certificate directory and when a cert is created in TrueNAS it will be in that directory by default and therefore enabled, and I will just need to remove it from that DIR !

I doubt it works that way. For example with easyrsa, if you have the CA on the server (which is not recommended, BTW) the server does not care about the CA files. It refers to its own --ca certificate, and if a client presents a certificate signed by the same CA, and that certificate is not in the CRL being checked with --crl-verify, the server is happy with it and allows the connection (subject of course to the other access controls discussed upthread, as well as any scripts you might have which could block a client.)

That question goes back again to TrueNAS, sorry.

Glad we could help! Regards, rob0

OpenVPN Support Forum

TrueNas OpenVPN Certificate revoke

TrueNas OpenVPN Certificate revoke

Re: TrueNas OpenVPN Certificate revoke

Re: TrueNas OpenVPN Certificate revoke

Re: TrueNas OpenVPN Certificate revoke

Re: TrueNas OpenVPN Certificate revoke

Re: TrueNas OpenVPN Certificate revoke

Re: TrueNas OpenVPN Certificate revoke