This recipe shows how to configure OpenVPN to use a CRL. It uses the CRL created in the previous recipe. This recipe is an extension of the recipe Routing: masquerading in Chapter 2, Client-server IP-only Networks, in the sense that the server and client configuration files are almost identical.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. Generate the CRL using the previous recipe. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.10. The client was running Fedora 22 Linux and OpenVPN 2.3.10. Keep the server configuration file basic-udp-server.conf
from the Server-side routing recipe in Chapter 2, Client-server IP-only Networks.
[root@server]# cd /etc/openvpn/cookbook [root@server]# cp keys/crl.pem .
basic-udp-server.conf
by adding the lines:crl-verify /etc/openvpn/cookbook/crl.pem
Save it as example4-6-server.conf
.
[root@server]# openvpn --config example4-6-server.conf
client proto udp remote openvpnserver.example.com port 1194 dev tun nobind remote-cert-tls server tls-auth /etc/openvpn/cookbook/ta.key 1 ca /etc/openvpn/cookbook/ca.crt cert /etc/openvpn/cookbook/client4.crt key /etc/openvpn/cookbook/client4.key
And save it as example4-6-client.conf
.
[root@client]# openvpn --config example4-6-client.conf
The client will not be able to connect but instead, the server log file shows:
[...] TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [...] TLS Error: TLS object -> incoming plaintext read error [...] TLS Error: TLS handshake failed
This rather cryptic message proves that the client is not allowed to connect because the certificate is not valid.
Each time a client connects to the OpenVPN server, the CRL is checked to see whether the client certificate is listed. If it is, the OpenVPN server simply refuses to accept the client certificate and the connection will not be established.
Generating a CRL is one thing and keeping it up-to-date is another. It is very important to ensure that the CRL is kept up-to-date. For this purpose, it is best to set up a cron job that updates the server CRL file overnight. There is an outstanding bug in OpenVPN related to CRL updates: each time a client connects, the OpenVPN server tries to access the CRL file. If the file is not present or not accessible, then the OpenVPN server process aborts with an error. The proper behavior would be to temporarily refuse access to the clients but unfortunately, this is not the case.
18.226.222.6