Manage OpenVPN keys with Easy-RSA

Key Cabinet

On Revocation

When employees leave their employer, admins need to make sure they prevent further VPN access. At the CharitÈ, this is done with the revoke_remove_cert_without_user script (Listing 4), which uses checkCertWithoutUser.pl to generate a list of certificates for which active users are missing and pipes this list to revoke_and_delete, which Easy-RSA uses to revoke and delete the key material (Figure 3). The certificates are only irreversibly deleted after a transitional period of three months, because "often users come back within three months," explained Hildebrandt, "in which case, they don't want to impose the burden of having to install a new configuration or new certificates."

Listing 4

revoke_remove_cert_without_user

01 #!/bin/sh
02 /opt/openvpn/scripts/checkCertWithoutUser.pl | xargs --no-run-if-empty --replace /opt/openvpn/scripts/revoke_and_delete {}

There You Go!

According to Hildebrandt, the CharitÈ system, which now manages 17,000 users, surprised even the administrators: Working with Easy-RSA is smooth and stable in enterprise operation. "The advantage of Easy-RSA is clearly in its stability: the thing simply does exactly what you tell it to do – 100% and reliably," said Hildebrandt. "In more than 10 years of operation, it has never caused us trouble and always provided exactly the high-level commands we need to generate and withdraw certificates."

The configurations generated in this way also work with mobile devices and the practical OpenVPN format of the embedded keys. The configuration, certificates, and keys can be inserted directly into the configuration file without reference to other files, so users only have one configuration file for access, which significantly increases acceptance. This setup works fine with modern smartphones, as well.

Private keys that are not password protected are less critical: "Password protection during access is achieved via LDAP authentication, which is linked to Active Directory," explained Hildebrandt. "Every user has to enter their password anyway when they log in. Although this is the most frequently mentioned annoyance for users, it is necessary."

Additionally, neither Android nor iOS allow a web proxy via autoconfig. "Our users can use VPN, but the main purpose is to surf the web through our proxies, because they get full access to scientific journals and papers," said Hildebrandt. With Chrome OS, you can set exactly one proxy for a VPN connection.

The Author

Markus Feilner is a Linux and security expert from Regensburg, Germany. The trainer, author, consultant, and keynote speaker has been working with Linux and open source software since 1994.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • VPN clients for Android and iOS
    Smartphones and tablets using hotspots and mobile data connections are susceptible to spying. iOS and Android each supply a tunneled VPN connection out of the box. We take a look at their apps, as well as third-party apps to see if they offer more.
  • Getting a free TLS certificate from Let's Encrypt
    A free TLS certificate from Let's Encrypt means you can add encryption to your network for no cost, so you don't have any more excuses for failing to encrypt.
  • Roll out hybrid clouds with Ansible  automation
    Designing your own hybrid IT structure as a digital mix of your servers and public or private clouds might be technically elegant and cost effective, but setup is time consuming. Thanks to Ansible, it might take less work than you think.
  • Shell in a Browser

    PHP Shell and Shell In A Box put a shell in your browser, thus facilitating web server management – even from the nearest Internet café and without SSH access.

  • Server administration using Cockpit
    Cockpit makes it easy to manage Linux servers: Four mouse clicks in the browser restart the crashed web server, and four more interconnect the server's network interfaces. Pilots flying in this cockpit, though, have to cope with a few limitations.
comments powered by Disqus