GitLab Commit is coming up on August 3-4. Learn how to innovate together using GitLab, the DevOps platform. Register for free: gitlabcommitvirtual2021.com

clients.md 2.44 KB
Newer Older
Kyle Manna's avatar
Kyle Manna committed
1
# Advanced Client Management
2

Kyle Manna's avatar
Kyle Manna committed
3
## Client Configuration Mode
4

5
The [`ovpn_getclient`](/bin/ovpn_getclient) can produce two different versions of the configuration.
6

7
1. combined (default): All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does).
8
9
2. separated: Separated files.

Robin Schneider's avatar
Robin Schneider committed
10
Note that some client software might be picky about which configuration format it accepts.
11

Nate Jones's avatar
Nate Jones committed
12
13
## Client List

14
See an overview of the configured clients, including revocation and expiration status:
Nate Jones's avatar
Nate Jones committed
15

16
    docker run --rm -it -v $OVPN_DATA:/etc/openvpn registry.gitlab.com/ix.ai/openvpn ovpn_listclients
Nate Jones's avatar
Nate Jones committed
17

18
19
 The output is generated using `openssl verify`. Error codes from the verification process different from `X509_V_ERR_CERT_HAS_EXPIRED` or `X509_V_ERR_CERT_REVOKED` will show the status `INVALID`.

Kyle Manna's avatar
Kyle Manna committed
20
## Batch Mode
21

22
If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script [`ovpn_getclient_all`](/bin/ovpn_getclient_all) was written, which writes out the configuration for each client to a separate directory called `clients/$cn`.
23
24
25

Execute the following to generate the configuration for all clients:

26
    docker run --rm -it -v $OVPN_DATA:/etc/openvpn --volume /tmp/openvpn_clients:/etc/openvpn/clients registry.gitlab.com/ix.ai/openvpn ovpn_getclient_all
27
28
29
30

After doing so, you will find the following files in each of the `$cn` directories:

    ca.crt
31
    $cn-combined.ovpn # Combined configuration file format. If your client recognices this file then only this file is needed.
32
33
34
35
    $cn.ovpn          # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key
    $cn.crt
    $cn.key
    ta.key
36
37
38

## Revoking Client Certificates

Nicolas Duchon's avatar
Nicolas Duchon committed
39
Revoke `client1`'s certificate and generate the certificate revocation list (CRL) using [`ovpn_revokeclient`](/bin/ovpn_revokeclient) script :
40

41
    docker run --rm -it -v $OVPN_DATA:/etc/openvpn registry.gitlab.com/ix.ai/openvpn ovpn_revokeclient client1
42

Robin Schneider's avatar
Robin Schneider committed
43
The OpenVPN server will read this change every time a client connects (no need to restart server) and deny clients access using revoked certificates.
Nicolas Duchon's avatar
Nicolas Duchon committed
44
45
46

You can optionally pass `remove` as second parameter to ovpn_revokeclient to remove the corresponding crt, key and req files :

47
    docker run --rm -it -v $OVPN_DATA:/etc/openvpn registry.gitlab.com/ix.ai/openvpn ovpn_revokeclient client1 remove