How To Remove/Revoke OpenVPN Server’s Clients From OpenVPN Server On RHEL/CentOS 6/7

In this article, we will learn to remove an OpenVPN server’s client and we will learn to restrict the client from accessing for OpenVPN server. As in our previous article, we learned to Add/Create a New OpenVPN Client Key for OpenVPN Server this just a reverse.

Reason For Revoke Client Access

There are some scenarios where we want secure our servers and network because the key was lost or stolen. Also sometimes when a user is leaving the organization and as result, we have to terminate his/her key. And one of the most common scenarios is when a client key is no longer needed.

Note: If you are a SUDO user then prefix every command with sudo, like #sudo ifconfig

If you want to read more article on OpenVPN then you may follow Given below links

Part 1:  How To Install And Setup OpenVPN Server On CentOS/RHEL 7?
Part 2: How To Install And Setup OpenVPN Server On CentOS/RHEL 6?
Part 3: Setup Linux And Windows Clients To Connect With OpenVPN Server In RHEL/CentOS 6/7
Part 4: How To Add/Create A New OpenVPN Client For OpenVPN Server In CentOS/RHEL 6/7
Part 6: How To Remove OpenVPN Server from CentOS/RHEL 6/7

Prerequisites:

A Pre-Installed and running OpenVPN Server.
A running OpenVPN client key

Scenario

OpenVPN server: 192.168.1.188 – Already Running
OpenVPN Client: 192.168.1.19

Let’s Start

To start revoking access of client key you should be clear and specific. So we will identify the key before going for deletion.

Note: All Activities in this article will be done on OpenVPN Server.

Step 1: Figure Out The Key For Removal

You should be specific while removing or revoking a client key because wrong key removal will lead to a non-accessible environment for the users who were using accidentally deleted key. So to check the presence or absence of the key use the following command.

This command will tell you the total numbers of client key on OpenVPN server. As the output shows that this OpenVPN server has 2 keys.

[root@localhost easy-rsa]# tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V"
2

Now we can check and list all the Client Name/ keys which are present on OpenVPN server

[root@localhost easy-rsa]# tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2
client
newClient

Step 2: Revoke Certificate For Selected Client

Well we have successfully listed all our client and for this example, we will revoke access for newClient here and regenerate CRL after deletion

Note: replace the highlighted value with your scenario

[root@localhost easy-rsa]# cd /etc/openvpn/easy-rsa/
[root@localhost easy-rsa]# ./easyrsa --batch revoke newClient
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Revoking Certificate 04.
Data Base Updated
[root@localhost easy-rsa]# rm -rf /etc/openvpn/crl.pem

In this step, we have revoked access for newClient and deleted CRL file

Step 3: Delete Associated Keys And Certificates

After revoking the access of client we need to delete the ‘.key’ file ‘.crt’ file and ‘.req’ file related to that key. So run the following command to clear our server from unneeded files.

[root@localhost easy-rsa]# rm -rf pki/reqs/newClient.req
[root@localhost easy-rsa]# rm -rf pki/private/newClient.key
[root@localhost easy-rsa]# rm -rf pki/issued/newClient.crt

Well, we have deleted our revoked file and certificates

Step 4: Regenerate The New CRL File

As we did delete our CRL file in step 2 so we need to recreate it. CRL stands for Certificate Revocation List (CRL). A client application, such as a web browser, can use a CRL to check a server’s authenticity. OpenVPN uses this CRL to deny access to clients that are no longer trusted.

[root@localhost easy-rsa]# ./easyrsa gen-crl
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem

After Generation, Copy this file to OpenVPN working Directory to make available for working environment.

[root@localhost easy-rsa]# cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem

Now, we need to change the ownership of newly created CRL because CRL is read with each client connection when OpenVPN is dropped to nobody so executing the same

[root@localhost easy-rsa]# chown nobody:nobody /etc/openvpn/crl.pem

We have successfully deleted a client access now our server is secured In next article we will learn to remove an OpenVPN installation from server completely

You May Like These Also

Part 1:  How To Install And Setup OpenVPN Server On CentOS/RHEL 7?
Part 2: How To Install And Setup OpenVPN Server On CentOS/RHEL 6?
Part 3: Setup Linux And Windows Clients To Connect With OpenVPN Server In RHEL/CentOS 6/7
Part 4: How To Add/Create A New OpenVPN Client For OpenVPN Server In CentOS/RHEL 6/7
Part 5: How To Remove Revoke OpenVPN Server’s Clients From OpenVPN Server On RHEL/CentOS 6/7
Part 6: How To Remove OpenVPN Server from CentOS/RHEL 6/7