Contact Us
How To Remove/Revoke OpenVPN Server’s Clients From OpenVPN Server On RHEL/CentOS 6/7
In this article, we will learn to remove an OpenVPN server’s client and we will learn to restrict the client from accessing for OpenVPN server. As in our previous article, we learned to Add/Create a New OpenVPN Client Key for OpenVPN Server this just a reverse.
Reason For Revoke Client Access
There are some scenarios where we want secure our servers and network because the key was lost or stolen. Also sometimes when a user is leaving the organization and as result, we have to terminate his/her key. And one of the most common scenarios is when a client key is no longer needed.
Note: If you are a SUDO user then prefix every command with sudo, like #sudo ifconfig
If you want to read more article on OpenVPN then you may follow Given below links
Part 1: How To Install And Setup OpenVPN Server On CentOS/RHEL 7?
Part 2: How To Install And Setup OpenVPN Server On CentOS/RHEL 6?
Part 3: Setup Linux And Windows Clients To Connect With OpenVPN Server In RHEL/CentOS 6/7
Part 4: How To Add/Create A New OpenVPN Client For OpenVPN Server In CentOS/RHEL 6/7
Part 6: How To Remove OpenVPN Server from CentOS/RHEL 6/7
Prerequisites:
A Pre-Installed and running OpenVPN Server.
A running OpenVPN client key
Scenario
OpenVPN server: 192.168.1.188 – Already Running
OpenVPN Client: 192.168.1.19
Let’s Start
To start revoking access of client key you should be clear and specific. So we will identify the key before going for deletion.
Note: All Activities in this article will be done on OpenVPN Server.
Step 1: Figure Out The Key For Removal
You should be specific while removing or revoking a client key because wrong key removal will lead to a non-accessible environment for the users who were using accidentally deleted key. So to check the presence or absence of the key use the following command.
This command will tell you the total numbers of client key on OpenVPN server. As the output shows that this OpenVPN server has 2 keys.
[root@localhost easy-rsa]# tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V" 2
Now we can check and list all the Client Name/ keys which are present on OpenVPN server
[root@localhost easy-rsa]# tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 client newClient
Step 2: Revoke Certificate For Selected Client
Well we have successfully listed all our client and for this example, we will revoke access for newClient here and regenerate CRL after deletion
Note: replace the highlighted value with your scenario
[root@localhost easy-rsa]# cd /etc/openvpn/easy-rsa/ [root@localhost easy-rsa]# ./easyrsa --batch revoke newClient Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf Revoking Certificate 04. Data Base Updated [root@localhost easy-rsa]# rm -rf /etc/openvpn/crl.pem
In this step, we have revoked access for newClient and deleted CRL file
Step 3: Delete Associated Keys And Certificates
After revoking the access of client we need to delete the ‘.key’ file ‘.crt’ file and ‘.req’ file related to that key. So run the following command to clear our server from unneeded files.
[root@localhost easy-rsa]# rm -rf pki/reqs/newClient.req [root@localhost easy-rsa]# rm -rf pki/private/newClient.key [root@localhost easy-rsa]# rm -rf pki/issued/newClient.crt
Well, we have deleted our revoked file and certificates
Step 4: Regenerate The New CRL File
As we did delete our CRL file in step 2 so we need to recreate it. CRL stands for Certificate Revocation List (CRL). A client application, such as a web browser, can use a CRL to check a server’s authenticity. OpenVPN uses this CRL to deny access to clients that are no longer trusted.
[root@localhost easy-rsa]# ./easyrsa gen-crl Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf An updated CRL has been created. CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
After Generation, Copy this file to OpenVPN working Directory to make available for working environment.
[root@localhost easy-rsa]# cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
Now, we need to change the ownership of newly created CRL because CRL is read with each client connection when OpenVPN is dropped to nobody so executing the same
[root@localhost easy-rsa]# chown nobody:nobody /etc/openvpn/crl.pem
We have successfully deleted a client access now our server is secured In next article we will learn to remove an OpenVPN installation from server completely
You May Like These Also
Part 1: How To Install And Setup OpenVPN Server On CentOS/RHEL 7?
Part 2: How To Install And Setup OpenVPN Server On CentOS/RHEL 6?
Part 3: Setup Linux And Windows Clients To Connect With OpenVPN Server In RHEL/CentOS 6/7
Part 4: How To Add/Create A New OpenVPN Client For OpenVPN Server In CentOS/RHEL 6/7
Part 5: How To Remove Revoke OpenVPN Server’s Clients From OpenVPN Server On RHEL/CentOS 6/7
Part 6: How To Remove OpenVPN Server from CentOS/RHEL 6/7