OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: xofer on June 04, 2019, 05:24:32 pm

Title: CRL management for OpenVPN
Post by: xofer on June 04, 2019, 05:24:32 pm

We are signing our VPN user certificates outside OPNsense box.

Where does OPNsense save the CRL that is imported through the web gui?

Can I upload the CRL to OPNSense box without importing it through the web GUI? For instance with scp. Or have OPNsense pull the CRL from another server at an interval? Or upload it through an URL call?

Title: Re: CRL management for OpenVPN
Post by: mimugmail on June 05, 2019, 07:15:38 am

ATM it's only supported for local used CRL.

Title: Re: CRL management for OpenVPN
Post by: xofer on June 05, 2019, 09:32:31 am

I understand that a copy of the CRL is saved locally.

I am currently uploading the CRL manually from admin every time I revoke a cert. As i have several Opnsense machines, it is quite cumbersome. I would like to automate this update either by SSH or API call or something like that.

Title: Re: CRL management for OpenVPN
Post by: mimugmail on June 05, 2019, 10:00:03 am

Why don't you move the CA to OPNsense and manage it there? Then it would be automatic.
Otherwise you could play around with cronjobs ...

https://openvpn.net/archive/openvpn-users/2006-01/msg00456.html

Title: Re: CRL management for OpenVPN
Post by: xofer on June 05, 2019, 10:55:35 am

Well, thank you for contributing, but neither of your answers addresses the question I asked in any way...

> Why don't you move the CA to OPNsense and manage it there?
As I said - I have several opnsense boxes which serve openvpn to clients. Clients have a certificate which is signed by a CA which all of the openvpn boxes trust. Even if i did the signing and revoking in an opnvpn box, I would still have to distribute the CRL to the rest of them - so it would solve nothing. Moreover - I am using the client certificate to authenticate clients against other services in other servers which also need the CRL.

I have a script that revokes a client and uploads the CRL to all the services involved. But I have not found a good way to do it in opnsense - and that is what I am asking. An API call or file path to where i can scp upload to update the CRL. Currently the only way to achieve that seems to be to update the CRL via admin interface manually.

Cron jobs have absolutely nothing to do with this matter.

I guess if there is no easier way, I will just make a curl script to emulate the upload via admin.

Title: Re: CRL management for OpenVPN
Post by: mimugmail on June 05, 2019, 12:18:19 pm

- Configure CRL on instance
- Check serverX.conf via CLI
- Remeber crl-verify syntax and filename
- Disable CRL and add the same line via Custom Options
- Copy your CRL via preferred method and restart OpenVPN (/usr/local/etc/rc.d/openvpn onereload)

Title: Re: CRL management for OpenVPN
Post by: xofer on June 06, 2019, 05:22:59 pm

Having crl-verify in Custom Options is a great idea. I can even use a different filename so it wont be overwritten. I'll have to check, what path survives a reboot.

I don't think openvpn restart is even necessary, I think openvpn reads CRL on each client connect.