Your OpenVPN setup is working perfectly, and everyone is happy. You've just gotten the news that an employee has left the company, or perhaps one of your road warriors has lost a laptop. At any rate, you need to terminate a user's access. How is this done?
Change to the /etc/openvpn/easy-rsa/ directory on the server, and run these two commands, using the name of the client certificate you need to revoke:
# . ./vars
# ./revoke-full stinkpad
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Revoking Certificate 01.
Data Base Updated
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
stinkpad.crt: /C=US/ST=NA/O=Alrac.net-test/CN=openvpnclient-stinkpad/
emailAddress=carla@alrac.net
error 23 at 0 depth lookup:certificate revokederror 23 means your
revocation was successful. You'll see a new file,
/etc/openvpn/easy-rsa/keys/crl.pem, that contains
your control revocation list.
Now, you need to add this line to your server configuration file:
crl-verify /etc/openvpn/easy-rsa/crl.pem
Restart the OpenVPN server:
# /etc/init.d/openvpn restartYou're done, and the user is locked out. For future revocations, you don't need to restart the server. If the user is connected, OpenVPN will kick them off in an hour anyway when it negotiates new send and receive keys.
Or, you can send a SIGHUP, and kick them off immediately:
# /etc/init.d/openvpn reloadThis flushes all clients, but they shouldn't notice any disruption. Except the one you kicked off.
When a user forgets their passphrase, you can revoke their certificate, then create anew one using the same common name.
Make sure that crl.pem is world-readable.
You should also add these lines to your server configuration:
ping-timer-rem persist-tun
ping-timer-rem doesn't start
clocking ping timeouts until clients actually
connect.
persist-tun keeps the tunnel
open even when SIGHUPs or ping restarts
occur.
man 8 openvpn
OpenVPN How-to: http://openvpn.net/howto.html
man 7 signal