{{tag>vpn openvpn}}
====== Revoke openvpn certificates ======
To disable specific users from connecting to the VPN you can revoke their certificate.
This assumes you have [[https://github.com/OpenVPN/easy-rsa/|easy-rsa]] installed.
Basically you need to revoke each certificate according to its CN name (should be same as filename) and recreate the //crl.pem// file.
First make sure you have
crl-verify /etc/openvpn/EasyRSA-3.1.7/pki/crl.pem
line in your openvpn server.conf. After you add the line restart the server.
Now revoke the cert
/etc/openvpn/EasyRSA-3.1.7# ./easyrsa revoke
and regenerate the crl file
/etc/openvpn/EasyRSA-3.1.7# ./easyrsa gen-crl
You can check the revoked certs via:
/etc/openvpn/EasyRSA-3.1.7# ./easyrsa show-revoke
Now when connecting your client will show this error
unknown[736292]: Connect timer expired, disconnecting.
nm-openvpn[736296]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
nm-openvpn[736296]: TLS Error: TLS handshake failed
nm-openvpn[736296]: SIGTERM received, sending exit notification to peer
and on server you will see something like
... VERIFY ERROR: depth=0, error=certificate revoked: CN=user1, serial=xxxxxxxxxxxxxxxxxxxxxxx
... OpenSSL: error:0A000086:SSL routines::certificate verify failed
... TLS_ERROR: BIO read tls_read_plaintext error
... TLS Error: TLS object -> incoming plaintext read error
... TLS Error: TLS handshake failed
... SIGUSR1[soft,tls-error] received, client-instance restarting
... CRL: loaded 1 CRLs from file /etc/openvpn/EasyRSA-3.1.7/pki/crl.pem
... TLS Error: Unroutable control packet received from [AF_INET]xxxxxxxxxxxx:41071 (si=3 op=P_CONTROL_V1)
You need to rerun the above steps for each new revoked certificate.
====== Tested on ======
* EasyRSA-3.1.7
====== See also ======
* [[wiki:openvpn_installation|Openvpn installation]]
====== References ======
* https://serverfault.com/a/1079065/353235