Opened 7 years ago

Closed 7 years ago

Last modified 5 years ago

#1208 closed bug (fixed)

Removing an OpenVPN client should prevent future logins

Reported by: matthijs Owned by:
Priority: normal Milestone: Firmware
Component: fon-plugin-openvpn Version: beta3
Severity: minor
Cc: Hardware: both


When managing the OpenVPN server on the Fonera, it is required to generate a keypair for every client that needs to connect to the Fonera. The Fonera keeps a list of clients and allows removing clients from this list.

If I understand correctly, removing a client from this list removes all references to it from the Fonera, but does not prevent this client from logging in with its certificate. This is because the server only checks that the certificate presented by the client is actually signed by the CA, it does not check its list of client certificate (which it doesn't even need to keep for normal operation).

To solve this, the Fonera should keep a certificate revocation list and fill it whenever a client is removed from the list.

Note that I haven't actually confirmed above analysis, but this ticket is to remind me to fix this.

Attachments (0)

Change History (8)

comment:1 Changed 7 years ago by matthijs

  • Status changed from new to confirmed

Just discovered another side effect of this issue: You cannot currently remove a client and then re-add a client with the same name. This seems to work properly, but the .crt file generated for the client will remain empty, due to OpenSSL inisisting on unique cn's (it has an internal database that keeps track of the CN's of all the certificates issued).

The output of (the second run of) "pkitool foo" ends with:

Certificate is to be certified until Jul 17 08:18:13 2022 GMT (3650 days)
failed to update database
TXT_DB error number 2

According to this post, revoking the certificate should allow a new one to be generated with the same CN.

comment:2 Changed 7 years ago by matthijs

  • Severity changed from normal to minor
  • Status changed from confirmed to testing-fix

This turned to be a fairly simple one-line fix.

comment:3 Changed 7 years ago by matthijs

  • Resolution set to fixed
  • Status changed from testing-fix to closed

(In [2180]) luci-openvpn: Revoke client certificates when removing them.

Before, when removing an OpenVPN client, its certificates where simply removed. However, since the OpenVPN server allows access to anyone with a valid certificate, even if it no longer has the certificate file itself, this means that a client would still be able to log in after it was removed through the webgui.

Additionally, when a client was removed, no client could be added again with the same name, since pkitool insists on having unique names for all certificates.

By actively revoking the certificate before removing it, which causes a reference to the certificate be stored in the certificate revocation list that OpenVPN checks for every connection, both of the above problems are fixed.

This commit imports the revoke-full script from the OpenVPN sources, modified to include /etc/openvpn/vars instead of relying on that file to be included by the caller (just like with the pkitool script).

Closes: #1208

comment:4 Changed 7 years ago by matthijs

(In [2203]) openvpn: Fix the path to the certificate revocation list.

This would prevent the CRL from working. Apparently this was fixed manually during testing, but this fix never made it into SVN.

References: #1208

comment:5 Changed 7 years ago by matthijs

(In [2204]) openvpn: Remove an unneeded if in the initscript.

It doesn't hurt to always set the "generating key" status, since if no keys need to be generated, it will be reset directly anyway.

References: #1208

comment:6 Changed 7 years ago by matthijs

(In [2205]) openvpn: Make sure a valid certificate revocation list exists.

There was an empty file by default, but OpenVPN / OpenSSL wants some actual content (e.g., a PEM-encoded empty list at the least). Since it seems that the CA key and certificate are needed to generate this empty CRL, we can't simply add a static "empty CRL" file, but need to generate it in the initscript.

References: #1208

comment:7 Changed 7 years ago by matthijs

(In [2206]) openvpn: Let the initscript use /etc/openvpn/vars.

This removes the hardcoded KEY_DIR from the initscript and allows using other variables.

References: #1208

comment:8 Changed 5 years ago by Nicol

I've installed and the wpm moulde of openvpn to work with webmin. This was the easy part. Creating the ca, crt and pem keys was easy. However, I've ran into one problem after another after trying to configure the vpn for either tun or tap. I couldn't get tap to configure at all. However, inspite of the problems I'm having, I like the webmin interface, as it certainly saves a lot of typing. Also, through it, I can visually see what's required of setting up a vpn.

Add Comment

Modify Ticket

as closed The ticket will remain with no owner.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.