[Openvpn-users] How to remove users from the OpenVPN Server?

Discussion:

Flavio

2009-12-02 13:30:52 UTC

Hello,

I searched a lot using Google, and browsing the OpenVPN documentation
but I still can't
definitely remove an user from my OpenVPN server. I use Gentoo Linux
and the version I
have installed is 2.1_rc15.

The first thing I did is to go to the /usr/share/openvpn/easy-rsa
directory and perform the following command:
source ./vars
./revoke-full username

But now, even though the user can't connect to my openvpn server,
files (i.e. keys and certificates and *.pem file)
still remain on the server. I could remove them manually, sure, but
I'm not sure if it is correct.
For example, there are a lot of XX.pem files and I don't know which
xx.pem file is "owned" by "username_x", so
I can't delete an xx.pem file if I'm not sure it is related to a
certain unallowed user.

I also read I should issue something like "openvpn --crl-verify
../crl.pem", but I still get a lot of trouble..
(interface is missing and many more errors).

Please, could you tell me how to clean my openvpn server from keys and
certificates no longer useful?
Thank you,

Flavio

David Sommerseth

2009-12-02 14:10:39 UTC

Permalink

Post by Flavio
Hello,
I searched a lot using Google, and browsing the OpenVPN documentation
but I still can't
definitely remove an user from my OpenVPN server. I use Gentoo Linux
and the version I
have installed is 2.1_rc15.
The first thing I did is to go to the /usr/share/openvpn/easy-rsa
source ./vars
./revoke-full username

This is a correct approach!

Post by Flavio
But now, even though the user can't connect to my openvpn server,
files (i.e. keys and certificates and *.pem file)
still remain on the server. I could remove them manually, sure, but
I'm not sure if it is correct.

As the matter of fact, no keys or certificates except what is defined in
the openvpn config should reside on the server. The rest should ideally
be located on a box which is not easily reachable. The most paranoid
ones will even say it should not even be on a network.

The CRL file will then "block" the particular certificates listed in the
CRL.

Post by Flavio
For example, there are a lot of XX.pem files and I don't know which
xx.pem file is "owned" by "username_x", so
I can't delete an xx.pem file if I'm not sure it is related to a
certain unallowed user.
I also read I should issue something like "openvpn --crl-verify
../crl.pem", but I still get a lot of trouble..
(interface is missing and many more errors).

You need to use the --crl-verify. But the crl.pem file must be the one
which is generated by easy-rsa. Copy this file and configure OpenVPN to
read this file, that's it.

kind regards,

David Sommerseth

Flavio

2009-12-02 14:38:55 UTC

Permalink

Thanks a lot David.

Post by David Sommerseth
As the matter of fact, no keys or certificates except what is defined in
the openvpn config should reside on the server. The rest should ideally
be located on a box which is not easily reachable. The most paranoid
ones will even say it should not even be on a network.

OK, so as far as I understand the /usr/share/openvpn/easy-rsa/keys
content should
be very meagre. I didn't know that, since up to now I only had the
necessity to create
users/keys for the VPN and not to delete them.
Each time I create a user/key/certificate I found all related files
there, and this is an
example of the content of my /usr/share/openvpn/easy-rsa/keys directory:
01.pem 07.pem user1.key user2.csr index.txt.attr
user4.key user6.key serial.old user8.key
02.pem 08.pem ca.crt user2.key index.txt.attr.old
user5.crt user7.crt user8.crt
03.pem 09.pem ca.key user3.crt index.txt.old
user5.csr user7.csr server.csr
04.pem 0A.pem crl.pem user3.csr lol.key
user5.key user7.key server.key
05.pem user1.crt dh1024.pem user3.key user4.crt user6.crt
revoke-test.pem user8.crt
06.pem user1.csr user2.crt index.txt user4.csr user6.csr
serial user8.csr

So, you can see 8 users and 10 pem files... If I want to delete a
user, my idea was to do, for example
./revoke-full user8
rm user8.*
rm xx.pem file related to that user.

Is that correct?

But reading your reply I understand that all these files are not
necessaries to the server, isnt' it?
I always left them there, because I thought they could be necessary to
the server to communicate to clients.

I also read the content of the serial file, and I noticed that there's
a hexadecimal value which seems to be
a progressive value, identifying what should be the next pem file.

My intent is to completely erase all tracks of a user into my server,
and not only to revoke it.

Unfortunately, the official documentation is obsolete, actually, it
says to use the crl-verify command here:
http://openvpn.net/index.php/open-source/documentation/howto.html#revoke
And it is not giving an example for new openvpn versions, like mines,
which is 2.1 where crl-verify is an option
of the openvpn command.

Post by David Sommerseth
The CRL file will then "block" the particular certificates listed in the
CRL.

I also would like to know how to "un"-revoke certificates, in case I
would like to do that, and
if it is possible of course.

Post by David Sommerseth
You need to use the --crl-verify. But the crl.pem file must be the one
which is generated by easy-rsa. Copy this file and configure OpenVPN to
read this file, that's it.

Could you give me more precise example please?

Best regards,

Flavio

Flavio

2009-12-02 15:06:12 UTC

Permalink

Post by Flavio
I also would like to know how to "un"-revoke certificates, in case I
would like to do that, and
if it is possible of course.

Post by David Sommerseth
You need to use the --crl-verify. But the crl.pem file must be the one
which is generated by easy-rsa. Copy this file and configure OpenVPN to
read this file, that's it.

Could you give me more precise example please?

And this is what appen when I use crl-verify:

# openvpn --crl-verify crl.pem
Options error: You must define TUN/TAP device (--dev)
Use --help for more information.

Ok, let's define TUN/TAP device using --dev option too:

# openvpn --dev tun0 --crl-verify crl.pem
Options error: Parameter crl_file can only be specified in TLS-mode,
i.e. where --tls-server or --tls-client is also specified.
Use --help for more information.

And now???

interface tun0 is up as well as the openvpn server.

Flavio

David Sommerseth

2009-12-02 16:31:35 UTC

Permalink

Post by Flavio

Post by Flavio
I also would like to know how to "un"-revoke certificates, in case I
would like to do that, and
if it is possible of course.

That is not possible, afik. Then you need to generate a new certificate.

Post by Flavio

Post by David Sommerseth
You need to use the --crl-verify. But the crl.pem file must be the one
which is generated by easy-rsa. Copy this file and configure OpenVPN to
read this file, that's it.

Could you give me more precise example please?

# openvpn --crl-verify crl.pem
Options error: You must define TUN/TAP device (--dev)
Use --help for more information.
# openvpn --dev tun0 --crl-verify crl.pem
Options error: Parameter crl_file can only be specified in TLS-mode,
i.e. where --tls-server or --tls-client is also specified.
Use --help for more information.
And now???

You need to add

crl-verify <full path to crl.pem>

in your current openvpn configuration file on your server. F.ex:

crl-verify /etc/openvpn/crl.pem

And then restart OpenVPN on the server.

kind regards,

David Sommerseth

Flavio

2009-12-02 16:43:43 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Post by Flavio
I also would like to know how to "un"-revoke certificates, in case I
would like to do that, and
if it is possible of course.

That is not possible, afik. Then you need to generate a new certificate.

Ok, no problem. ;-)

You need to add
crl-verify <full path to crl.pem>
crl-verify /etc/openvpn/crl.pem
And then restart OpenVPN on the server.

OK, I did it, but restarting the openvpn server gave me this error in
the openvpn.log:
CRL: cannot read: /usr/share/openvpn/easy-rsa/keys/crl.pem: Permission
denied (errno=13)
And these are the permissions on that file:
-rw-r--r-- 1 root root 552 2009-12-02 13:36 crl.pem

Basically, yes. This should do the magic.

OK, I did it that too!

The server don't need those files at all. The SSL certificates in this
directory is signed by the CA found in ca.crt. So when a client
connects to your OpenVPN server, it first looks at the CA which signed
the client certificate (which the client sends over the wire to the
server). If that CA is correct and matching the information found in
ca.crt, it checks the CRL file. If the certificate is not found here,
the client is accepted. If it fails on one of these checks, the client
is rejected.

Thanks for the info.

Revoke the certificate, delete the users certificate and key files. And
if you're really paranoid, hire a muscle man which visits your user and
watches him delete the files on his computer as well ;-)

LOL!
I will do that!!!!! :P Sure! :)

Flavio

2009-12-02 16:48:32 UTC

Permalink

Post by Flavio
OK, I did it, but restarting the openvpn server gave me this error in
CRL: cannot read: /usr/share/openvpn/easy-rsa/keys/crl.pem: Permission
denied (errno=13)
-rw-r--r-- 1 root root 552 2009-12-02 13:36 crl.pem

OK, I solved...
I moved the /usr/share/openvpn/easy-rsa/keys/crl.pem file in /etc/openvpn
and no more errors in the openvpn.log, but:
wouldn't be that file necessary in /usr/share/openvpn/easy-rsa/keys/crl.pem ??
There would be a reason why the package manager installed that file there.

Best regards,

Flavio

David Sommerseth

2009-12-02 16:51:44 UTC

Permalink

Post by Flavio

OK, I solved...
I moved the /usr/share/openvpn/easy-rsa/keys/crl.pem file in /etc/openvpn
wouldn't be that file necessary in /usr/share/openvpn/easy-rsa/keys/crl.pem ??
There would be a reason why the package manager installed that file there.

That file was probably not installed by the package manager. You
probably didn't change the paths in ./vars.sh ... And it got created
when you ran the ./revoke script.

kind regards,

David Sommerseth

Flavio

2009-12-02 16:56:35 UTC

Permalink

That file was probably not installed by the package manager. You
probably didn't change the paths in ./vars.sh ... And it got created
when you ran the ./revoke script.

Yes, that could be the reason actually...

And if I make a symlink from /etc/openvpn/crl.pem to
/usr/share/openvpn/easy-rsa/keys/crl.pem ?

I understand all the (security) things you said, thanks a lot for that.

Best regards,

Flavio

David Sommerseth

2009-12-02 17:43:02 UTC

Permalink

Post by Flavio

Post by David Sommerseth
That file was probably not installed by the package manager. You
probably didn't change the paths in ./vars.sh ... And it got created
when you ran the ./revoke script.

Yes, that could be the reason actually...
And if I make a symlink from /etc/openvpn/crl.pem to
/usr/share/openvpn/easy-rsa/keys/crl.pem ?

No, you will still need to give the user or group openvpn is running as
execute permission on all directories in that path, to allow openvpn to
read that file. I hardlink on the other hand might work better, as that
references the inode on the drive, but that won't work if it is on
different partitions.

And if you at some point decide to try to chroot openvpn, it will again
not be able to read the CRL file again.

Post by Flavio
I understand all the (security) things you said, thanks a lot for that.

But you seem to deliberately try to avoid it by tweaking around it with
symlinks ;-)

kind regards,

David Sommerseth

Flavio

2009-12-02 17:55:31 UTC

Permalink

Post by David Sommerseth
But you seem to deliberately try to avoid it by tweaking around it with
symlinks ;-)

Yes, but it's only a simple question!! :P
I won't do that actually! :-)

Thank you,

Flavio

David Sommerseth

2009-12-02 16:50:41 UTC

Permalink

Post by Flavio

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Post by Flavio
I also would like to know how to "un"-revoke certificates, in case I
would like to do that, and
if it is possible of course.

That is not possible, afik. Then you need to generate a new certificate.

Ok, no problem. ;-)

You need to add
crl-verify <full path to crl.pem>
crl-verify /etc/openvpn/crl.pem
And then restart OpenVPN on the server.

OK, I did it, but restarting the openvpn server gave me this error in
CRL: cannot read: /usr/share/openvpn/easy-rsa/keys/crl.pem: Permission
denied (errno=13)
-rw-r--r-- 1 root root 552 2009-12-02 13:36 crl.pem

Have you tried copying /usr/share/openvpn/easy-rsa/keys/crl.pem to
/etc/openvpn/crl.pem? And using that path instead?

To grant the OpenVPN process access to privileges to
/usr/share/openvpn/easy-rsa/keys/ is a very very very bad idea. OpenVPN
should never ever read files in the CA directory. Never. Ever. If a
unknown OpenVPN bug appears, it could leak key information to an
attacker. Or other unprivileged users on that box could get access to
files they really should not be able to access.

That's why the most paranoid people save this directory on a box which
is never connected to a network and only copies .crt and .key files out
and sends it directly to the clients. OpenVPN never ever needs to read
these files. The OpenVPN server only needs ca.crt, server.key and
server.crt. That's basically it. And when you revoke certificates, it
needs an updated crl.pem.

kind regards,

David Sommerseth

David Sommerseth

2009-12-02 16:37:40 UTC

Permalink

Post by Flavio
Thanks a lot David.

Basically, yes. This should do the magic.

Post by Flavio
But reading your reply I understand that all these files are not
necessaries to the server, isnt' it?
I always left them there, because I thought they could be necessary to
the server to communicate to clients.

Post by Flavio
I also read the content of the serial file, and I noticed that there's
a hexadecimal value which seems to be
a progressive value, identifying what should be the next pem file.
My intent is to completely erase all tracks of a user into my server,
and not only to revoke it.

Post by Flavio
Unfortunately, the official documentation is obsolete, actually, it
http://openvpn.net/index.php/open-source/documentation/howto.html#revoke
And it is not giving an example for new openvpn versions, like mines,
which is 2.1 where crl-verify is an option
of the openvpn command.

Post by David Sommerseth
The CRL file will then "block" the particular certificates listed in the
CRL.

I also would like to know how to "un"-revoke certificates, in case I
would like to do that, and
if it is possible of course.

Not possible, afaik.

Post by Flavio

Post by David Sommerseth
You need to use the --crl-verify. But the crl.pem file must be the one
which is generated by easy-rsa. Copy this file and configure OpenVPN to
read this file, that's it.

Could you give me more precise example please?

in your OpenVPN config file .... add:

crl-verify <full path to crl.pem>

kind regards,

David Sommerseth

David Sommerseth

2009-12-02 19:09:25 UTC

Permalink

...

Post by David Sommerseth
Revoke the certificate, delete the users certificate and key files.

I am not sure this is a good idea, the certificates may be needed to
build a crl.

Maybe I was too quick here, but with revoking, I meant building the CRL.
Do you need to have all the already revoked certificates when revoking
new certificates? If so, then I'm very much wrong and apologise for that!

Kind regards,

David Sommerseth

Erich Titl

2009-12-02 21:28:24 UTC

Permalink

Post by David Sommerseth
Maybe I was too quick here, but with revoking, I meant building the CRL.
Do you need to have all the already revoked certificates when revoking
new certificates? If so, then I'm very much wrong and apologise for that!

I am not 100% sure. AFAIK the certificate does not have a 'revoked' flag
by itself, only the CA knows about the revocation status. The interested
parties are informed about the revocation status with the crl. Looking
at the rather primitive database of a openssl-only based CA there
appears to be a flag in the index file which shows the revokation
status. There may be enough information in the index file to build a crl
but if that one is lost too, then revocation is impossible.

So my advice is, leave the files alone, just revoke the certificate and
build a crl.

cheers

Erich

Jan Just Keijser

2009-12-03 08:42:59 UTC

Permalink

hi *,

Post by Erich Titl

I am not 100% sure. AFAIK the certificate does not have a 'revoked' flag
by itself, only the CA knows about the revocation status. The interested
parties are informed about the revocation status with the crl. Looking
at the rather primitive database of a openssl-only based CA there
appears to be a flag in the index file which shows the revokation
status. There may be enough information in the index file to build a crl
but if that one is lost too, then revocation is impossible.
So my advice is, leave the files alone, just revoke the certificate and
build a crl.

The easy-rsa scripts in openvpn are wrappers around the 'openssl ca'
command ; in order to revoke a certificate the 'openssl ca -revoke'
command needs to get the serial number of a certificate. This serial
number is then added to its internal "database" (the plain text
index.txt file) ; when generating the CRL the 'openssl ca -gencrl'
command goes through this database and generates the CRL based on the
certificate DN's + serial numbers.

So after revoking a certificate (which does nothing to the .crt file
itself, BTW) you can in theory throw out the offending .crt (and .key) file.

To *temporarily* remove a user from openvpn you cannot revoke the user's
certificate. Revocation is permanent (as it should be).
I'd use a 'tls-verify' script for that which checks for any offending
certificate DNs (and/or serial numbers). You can then grant or deny
access based on this tls-verify script. That way there's no need to
officially revoke a certificate , generate a new CRL etc etc.

HTH,

JJK