Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-10-18 13:43:32 +00:00
Code Issues Projects Releases Packages Wiki Activity

Implemented that a Certificate Revocation List is generated during installation after generation of other Public Key Infrastructure. Enabled this CRL in the server config. The added benefit of this is that whenever the user now revokes a client, the change is instant. Whereas before, the first time a client was revoked, the OpenVPN server had to be restarted to enabled the then-newly-generated CRL. This change also makes the file /etc/pivpn/REVOKE_STATUS obsolete.

Browse source 
Documentation: https://openvpn.net/index.php/open-source/documentation/howto.html#revoke
This commit is contained in:
Jelle Dekker 2017-09-22 02:46:52 -05:00
parent c7f82d0116
commit 30920115b3
3 changed files with 6 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
auto_install/install.sh
View file

@ -884,6 +884,11 @@ EOF
# Generate static HMAC key to defend against DDoS # Generate static HMAC key to defend against DDoS
${SUDOE} openvpn --genkey --secret pki/ta.key ${SUDOE} openvpn --genkey --secret pki/ta.key
# Generate an empty Certificate Revocation List
${SUDOE} ./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn/crl.pem
chown nobody:nogroup /etc/openvpn/crl.pem
# Write config file for server using the template .txt file # Write config file for server using the template .txt file
$SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf
@ -992,10 +997,6 @@ confOVPN() {
$SUDO cp /tmp/pivpnUSR /etc/pivpn/INSTALL_USER $SUDO cp /tmp/pivpnUSR /etc/pivpn/INSTALL_USER
$SUDO cp /tmp/DET_PLATFORM /etc/pivpn/DET_PLATFORM $SUDO cp /tmp/DET_PLATFORM /etc/pivpn/DET_PLATFORM
# Set status that no certs have been revoked
echo 0 > /tmp/REVOKE_STATUS
$SUDO cp /tmp/REVOKE_STATUS /etc/pivpn/REVOKE_STATUS
$SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt $SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
if [[ ${useUpdateVars} == false ]]; then if [[ ${useUpdateVars} == false ]]; then

16
scripts/removeOVPN.sh
View file

@ -105,22 +105,6 @@ fi
cd /etc/openvpn/easy-rsa || exit cd /etc/openvpn/easy-rsa || exit
if [ "${REVOKE_STATUS}" == 0 ]; then
echo 1 > /etc/pivpn/REVOKE_STATUS
printf "\nThis seems to be the first time you have revoked a cert.\n"
printf "First we need to initialize the Certificate Revocation List.\n"
printf "Then add the CRL to your server config and restart openvpn.\n"
./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn/crl.pem
chown nobody:nogroup /etc/openvpn/crl.pem
sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf
if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then
service openvpn restart
else
systemctl restart openvpn.service
fi
fi
for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}" printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}"
./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}" ./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}"

2
server_config.txt
View file

@ -34,7 +34,7 @@ user nobody
group nogroup group nogroup
persist-key persist-key
persist-tun persist-tun
#crl-verify /etc/openvpn/crl.pem crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20 status /var/log/openvpn-status.log 20
status-version 3 status-version 3
log /var/log/openvpn.log log /var/log/openvpn.log