Manage OpenVPN keys with Easy-RSA

Key Cabinet

On Revocation

When employees leave their employer, admins need to make sure they prevent further VPN access. At the CharitÈ, this is done with the revoke_remove_cert_without_user script (Listing 4), which uses checkCertWithoutUser.pl to generate a list of certificates for which active users are missing and pipes this list to revoke_and_delete, which Easy-RSA uses to revoke and delete the key material (Figure 3). The certificates are only irreversibly deleted after a transitional period of three months, because "often users come back within three months," explained Hildebrandt, "in which case, they don't want to impose the burden of having to install a new configuration or new certificates."

Listing 4

revoke_remove_cert_without_user

01 #!/bin/sh
02 /opt/openvpn/scripts/checkCertWithoutUser.pl | xargs --no-run-if-empty --replace /opt/openvpn/scripts/revoke_and_delete {}

There You Go!

According to Hildebrandt, the CharitÈ system, which now manages 17,000 users, surprised even the administrators: Working with Easy-RSA is smooth and stable in enterprise operation. "The advantage of Easy-RSA is clearly in its stability: the thing simply does exactly what you tell it to do – 100% and reliably," said Hildebrandt. "In more than 10 years of operation, it has never caused us trouble and always provided exactly the high-level commands we need to generate and withdraw certificates."

The configurations generated in this way also work with mobile devices and the practical OpenVPN format of the embedded keys. The configuration, certificates, and keys can be inserted directly into the configuration file without reference to other files, so users only have one configuration file for access, which significantly increases acceptance. This setup works fine with modern smartphones, as well.

Private keys that are not password protected are less critical: "Password protection during access is achieved via LDAP authentication, which is linked to Active Directory," explained Hildebrandt. "Every user has to enter their password anyway when they log in. Although this is the most frequently mentioned annoyance for users, it is necessary."

Additionally, neither Android nor iOS allow a web proxy via autoconfig. "Our users can use VPN, but the main purpose is to surf the web through our proxies, because they get full access to scientific journals and papers," said Hildebrandt. With Chrome OS, you can set exactly one proxy for a VPN connection.

The Author

Markus Feilner is a Linux and security expert from Regensburg, Germany. The trainer, author, consultant, and keynote speaker has been working with Linux and open source software since 1994.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
	</a>

<hr>		    
			</div>
		    		</div>

		<div class=