Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
CRL management for OpenVPN
« previous
next »
Print
Pages: [
1
]
Author
Topic: CRL management for OpenVPN (Read 5960 times)
xofer
Newbie
Posts: 42
Karma: 2
CRL management for OpenVPN
«
on:
June 04, 2019, 05:24:32 pm »
We are signing our VPN user certificates outside OPNsense box.
Where does OPNsense save the CRL that is imported through the web gui?
Can I upload the CRL to OPNSense box without importing it through the web GUI? For instance with scp. Or have OPNsense pull the CRL from another server at an interval? Or upload it through an URL call?
«
Last Edit: June 04, 2019, 05:27:10 pm by xofer
»
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: CRL management for OpenVPN
«
Reply #1 on:
June 05, 2019, 07:15:38 am »
ATM it's only supported for local used CRL.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
xofer
Newbie
Posts: 42
Karma: 2
Re: CRL management for OpenVPN
«
Reply #2 on:
June 05, 2019, 09:32:31 am »
I understand that a copy of the CRL is saved locally.
I am currently uploading the CRL manually from admin every time I revoke a cert. As i have several Opnsense machines, it is quite cumbersome. I would like to automate this update either by SSH or API call or something like that.
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: CRL management for OpenVPN
«
Reply #3 on:
June 05, 2019, 10:00:03 am »
Why don't you move the CA to OPNsense and manage it there? Then it would be automatic.
Otherwise you could play around with cronjobs ...
https://openvpn.net/archive/openvpn-users/2006-01/msg00456.html
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
xofer
Newbie
Posts: 42
Karma: 2
Re: CRL management for OpenVPN
«
Reply #4 on:
June 05, 2019, 10:55:35 am »
Well, thank you for contributing, but neither of your answers addresses the question I asked in any way...
> Why don't you move the CA to OPNsense and manage it there?
As I said - I have several opnsense boxes which serve openvpn to clients. Clients have a certificate which is signed by a CA which all of the openvpn boxes trust. Even if i did the signing and revoking in an opnvpn box, I would still have to distribute the CRL to the rest of them - so it would solve nothing. Moreover - I am using the client certificate to authenticate clients against other services in other servers which also need the CRL.
I have a script that revokes a client and uploads the CRL to all the services involved. But I have not found a good way to do it in opnsense - and that is what I am asking. An API call or file path to where i can scp upload to update the CRL. Currently the only way to achieve that seems to be to update the CRL via admin interface manually.
Cron jobs have absolutely nothing to do with this matter.
I guess if there is no easier way, I will just make a curl script to emulate the upload via admin.
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: CRL management for OpenVPN
«
Reply #5 on:
June 05, 2019, 12:18:19 pm »
- Configure CRL on instance
- Check serverX.conf via CLI
- Remeber crl-verify syntax and filename
- Disable CRL and add the same line via Custom Options
- Copy your CRL via preferred method and restart OpenVPN (/usr/local/etc/rc.d/openvpn onereload)
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
xofer
Newbie
Posts: 42
Karma: 2
Re: CRL management for OpenVPN
«
Reply #6 on:
June 06, 2019, 05:22:59 pm »
Having crl-verify in Custom Options is a great idea. I can even use a different filename so it wont be overwritten. I'll have to check, what path survives a reboot.
I don't think openvpn restart is even necessary, I think openvpn reads CRL on each client connect.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
CRL management for OpenVPN