Revoking User's Access to OpenVPN after access is granted using certificates

[adarshmadrecha]

Using v12 (U2) of Truenas, have setup Open VPN without installing any additional tools, just using the GUI.
Currently I have 7 users. Each have their own Client Certificate & hence also their own .ovpn config file. They are able to access the NAS remotely when connected to VPN.

My Question, say a user leaves the organization, how do I revoke the access?
I have tried deleting the client certificate from the `System > Certificates`, but this does not revoke the access to VPN. The user still have access to connect to VPN.
I am looking for the "Button" or some location where I can specify these users should not be able to access the VPN from now.

I have also tried changing the certificate authority. It revokes access to all the users.
So, this method is there as a backup plan. But then I have to again create all the certificates for server and clients (users).
Since this is an common problem faced, looking for a solution which does not involves reissue of certificate for all the users.

 

[JohnDigital]

What about deleting the client cert and restarting the OVPN server? Im not really sure as I only just noticed the built in OVPN this week, been tinkering it.

 

[adarshmadrecha]

@John Digital , I tried that. It does not revoke the access.

 

[Samuel Tai]

The client cert itself has to be revoked.

 

[adarshmadrecha]

The client cert itself has to be revoked.

How do revoke the certificate?

 

[Samuel Tai]

There no way in the GUI that I can see, so you'll need to revoke the cert using openssl.

https://tldp.org/HOWTO/SSL-Certificates-HOWTO/x195.html

 

[jgreco]

You also need to have OpenVPN configured to support certificate revocation lists.

Interestingly, I am deep in the guts of this right now because I'm updating from OpenVPN 2.4 to 2.5 and rearchitecting some of this, which isn't helpful to you on FreeNAS, alas.

OpenVPN's support for certificate revocation is entirely external and based entirely on the contents of a CRL file, the name of which is supplied to OpenVPN via the --crl-verify command line option or crl-verify .ovpn directive. Certificates listed in the CRL file will be disconnected. I think recent OpenVPN clients give some sort of error that is vaguely humanly decipherable, but I don't have a revoked test cert right now and that's based off a memory of stuff I did months ago.

So you will need to see if crl-verify is supported, and if so, you then need to create and provide a .crl file.

 

[cyanofresh]

I think at least we should have an instructuin how to revoke certificate using Shell

 

[jgreco]

I think at least we should have an instructuin how to revoke certificate using Shell

This is basically a community-driven forum, and the way for there to be more detailed instructions is for someone to figure out the actual specifics and then to feed that back to the community. None of us are being paid by iXsystems to provide technical support, and part of the hazard of free software products is that you do not have a vendor you are paying whose throat you can choke until they cough up an answer. This means that it is useless to imply that someone else should figure this out and provide it to you; if someone wanted to, they probably would have already.

That's the fancy way of saying that you probably need to do some of the work here, unless someone else suddenly appears with the answer figured out.

Follow the link that @Samuel Tai provided, and combine it with the additional information I provided, and you should get a solution. Feel free to come back and post the specific details if you would like.

I'm happy to provide general information on the process as I've got a number of OpenVPN implementations that actually do support CRL's, but these are not based on FreeNAS for either the OpenVPN or CA bits, so while the overall design is the same as what it would need to be on FreeNAS, the specifics are different, and I don't have any interest in trying to figure out the FreeNAS specifics, even if I had an easy way to do it, which I do not, since all my NAS units are heavily insulated from the Internet.