« Previous 1 2
Manage OpenVPN keys with Easy-RSA
Key Cabinet
On Revocation
When employees leave their employer, admins need to make sure they prevent further VPN access. At the CharitÈ, this is done with the revoke_remove_cert_without_user
script (Listing 4), which uses checkCertWithoutUser.pl
to generate a list of certificates for which active users are missing and pipes this list to revoke_and_delete
, which Easy-RSA uses to revoke and delete the key material (Figure 3). The certificates are only irreversibly deleted after a transitional period of three months, because "often users come back within three months," explained Hildebrandt, "in which case, they don't want to impose the burden of having to install a new configuration or new certificates."
Listing 4
revoke_remove_cert_without_user
01 #!/bin/sh 02 /opt/openvpn/scripts/checkCertWithoutUser.pl | xargs --no-run-if-empty --replace /opt/openvpn/scripts/revoke_and_delete {}
There You Go!
According to Hildebrandt, the CharitÈ system, which now manages 17,000 users, surprised even the administrators: Working with Easy-RSA is smooth and stable in enterprise operation. "The advantage of Easy-RSA is clearly in its stability: the thing simply does exactly what you tell it to do – 100% and reliably," said Hildebrandt. "In more than 10 years of operation, it has never caused us trouble and always provided exactly the high-level commands we need to generate and withdraw certificates."
The configurations generated in this way also work with mobile devices and the practical OpenVPN format of the embedded keys. The configuration, certificates, and keys can be inserted directly into the configuration file without reference to other files, so users only have one configuration file for access, which significantly increases acceptance. This setup works fine with modern smartphones, as well.
Private keys that are not password protected are less critical: "Password protection during access is achieved via LDAP authentication, which is linked to Active Directory," explained Hildebrandt. "Every user has to enter their password anyway when they log in. Although this is the most frequently mentioned annoyance for users, it is necessary."
Additionally, neither Android nor iOS allow a web proxy via autoconfig. "Our users can use VPN, but the main purpose is to surf the web through our proxies, because they get full access to scientific journals and papers," said Hildebrandt. With Chrome OS, you can set exactly one proxy for a VPN connection.
Infos
- OpenVPN: https://openvpn.net
- Easy-RSA: https://github.com/OpenVPN/easy-rsa
- Easy-RSA for Ubuntu: https://packages.ubuntu.com/search?keywords=easy-rsa&searchon=names&suite=all§ion=all
- Easy-RSA 3.0 how-to: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
- CharitÈ Berlin: https://www.charite.de/en/
- Complete listings for the article: ftp://ftp.linux-magazine.com/pub/listings/admin-magazine.com/53/
« Previous 1 2
Buy this article as PDF
(incl. VAT)