User Tools

Site Tools


wiki:revoke_openvpn_certificates

This is an old revision of the document!


Revoke openvpn certificates

To disable specific users from connecting to the VPN you can revoke their certificate.

This assumes you have easy-rsa installed. Basically you need to revoke each certificate according to its CN name (should be same as filename) and recreate the crl.pem file.

First make sure you have

crl-verify /etc/openvpn/EasyRSA-3.1.7/pki/crl.pem

line in your openvpn server.conf. After you add the line restart the server.

Now revoke the cert

/etc/openvpn/EasyRSA-3.1.7# ./easyrsa revoke

and regenerate the crl file

/etc/openvpn/EasyRSA-3.1.7# ./easyrsa gen-crl                                                                                                                                          

You can check the revoked certs via:

/etc/openvpn/EasyRSA-3.1.7# ./easyrsa show-revoke

Now when connecting your client will show this error

 unknown[736292]: Connect timer expired, disconnecting.
 nm-openvpn[736296]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
 nm-openvpn[736296]: TLS Error: TLS handshake failed
 nm-openvpn[736296]: SIGTERM received, sending exit notification to peer

and on server you will see something like

... VERIFY ERROR: depth=0, error=certificate revoked: CN=user1, serial=xxxxxxxxxxxxxxxxxxxxxxx
... OpenSSL: error:0A000086:SSL routines::certificate verify failed
... TLS_ERROR: BIO read tls_read_plaintext error
... TLS Error: TLS object -> incoming plaintext read error
... TLS Error: TLS handshake failed
... SIGUSR1[soft,tls-error] received, client-instance restarting
... CRL: loaded 1 CRLs from file /etc/openvpn/EasyRSA-3.1.7/pki/crl.pem
... TLS Error: Unroutable control packet received from [AF_INET]xxxxxxxxxxxx:41071 (si=3 op=P_CONTROL_V1)

You need to rerun the above steps for each new revoked certificate.

Tested on

  • EasyRSA-3.1.7

See also

References

wiki/revoke_openvpn_certificates.1741018463.txt.gz · Last modified: 2025/03/03 16:14 by antisa

Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki