Menu
▾
▴
Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable
|
From: Lonnie A. <li...@lo...> - 2017-09-12 14:15:57
|
On Sep 12, 2017, at 5:13 AM, Michael Keuter <li...@mk...> wrote: > BTW: Instead of disabling a client in the WebGUI, you could also delete the appropriate key files in "/mnt/kd/openvpn/webinterface/keys/" > in case you don't need them anymore. No Michael, that does not work. The OpenVPN server does not need the client cert/key, but requires the client cert to have been signed by the root OpenVPN CA (ca.crt/ca.key). For reference from the OpenVPN docs: Ref: https://openvpn.net/index.php/open-source/documentation/howto.html One solution to limit client access is by using "tls-verify" and a script, which we currently do in the Web Interface and "Disable" a client, the OVPN_VALIDCLIENTS rc.conf variable is used. After some testing today, there is an alternate solution by using "crl-verify", for example let's revoke "client1": ## Find the client1.crt serial number (in hex) pbx ~ # openssl x509 -serial -noout -in /mnt/kd/openvpn/webinterface/keys/client1.crt serial=53C99883 ## OpenVPN requires the serial number in decimal, convert from hex pbx ~ # printf '%d\n' 0x53C99883 1405720707 ## Create the "crl" directory pbx ~ # mkdir /mnt/kd/openvpn/crl ## Create an empty file using the decimal serial number pbx ~ # touch /mnt/kd/openvpn/crl/1405720707 ## Finally, add a raw command to the Network tab -> OpenVPN Server Configuration ## Note: the 'dir' flag indicates /mnt/kd/openvpn/crl is a directory -- Raw Commands: crl-verify /mnt/kd/openvpn/crl dir -- ## Restart OpenVPN Server Now every time a client attempts to connect it will check the /mnt/kd/openvpn/crl directory for a matching serial number, if there is a match, verification fails and you will see this log: -- VERIFY CRL: certificate serial number 1405720707 is revoked -- Files in the /mnt/kd/openvpn/crl directory can be added or removed without restarting OpenVPN server. Please test for yourself. Lonnie |
