Revoke OpenVPN Access

tags:

openvpn

views:

2044

answers:

Revoke OpenVPN Access

An employee has left the company, so we need to revoke his OpenVPN access. Unfortunately, we don't have a good record of which certs were created or being used. He probably has multiple certificates (one for each of his systems).

How do I:

Find out what certs are being used
Find out who is using them (so I'm not blocking legitimate users)
Block the ones that I don't want to be given access

+1 A:

Straight from the source:

OpenVPN HowTo

Craig Walker 2008-11-11 18:23:40

Find out what certs are being used

Check the logs.

Find out who is using them (so I'm not blocking legitimate users)

Reconcile the logs with the known IPs of the user?

Block the ones that I don't want to be given access

Ya got me there. It's been so long since I've used OpenVPN I can't remember if you can disable/remove individual certificates.

(P. S. Thank you yet-another-mark-up-language for renumbering my 1-2-3 into 1-1-1.)

Teflon Ted 2008-11-11 18:28:32

"Check the logs" doesn't work if: 1) The ex-employee isn't currently connected and 2) Other valid employees aren't currently connected

Craig Walker 2008-11-11 18:29:56

"Reconcile the logs with the known IPs of the user?": Trouble is that the IPs aren't known either.

Craig Walker 2008-11-11 18:30:34

Here's what I did:

Create a test cert so that I could validate my process.
Create a new CA to sign the new certificates.
Create a new server ca. Note that this step is not necessary; the clients could still validate the old server cert against the old ca. However, I wanted to start fresh.
Create new client certs for all clients.
Add the new CA to the ca.crt file, in addition to the old CA. This allows both new and old clients to connect, which is useful for testing.
Distribute the new certs and CA to the clients
Restart OpenVPN on clients and server

Note: OpenVPN appears to use a cert revocation list. That's too bad. It would be preferable (from a security point of view) to have it use an access list, where certs are denied by default. That way, if there were unknown certs out there (ex: if this ex-employee made his own before he was terminated) then we wouldn't run the risk of having a backdoor into the system.

Craig Walker 2008-11-11 18:28:34

This _is_ a deny-by-default model. The problem is that the "access list" is the set of valid certificates, and the whole PKI/certificate signing model is based on the assumption that the CA has perfect records of all certs it generated. Good luck with your refresh!

Adam Liss 2008-11-11 20:52:36

I'm not a security expert so I can't really debate terminology. Still, I see it currently as "All minus a few" rather than "None plus a few"... which IMO is backwards.

Craig Walker 2008-11-11 21:30:20

Do you know what IPs the former employee was using? If not, I think you're going to have a tough time reconciling the logs, and you'd be better off starting to reissue certs to people who are using them, and revoking all the other ones.

And this time, you can keep a log. :-)

Peter Crabtree 2008-11-11 18:39:09

IPs: unfortunately, no.

Craig Walker 2008-11-11 18:54:03

+3 A:

This might be a good time for an audit. Might as well solve the underlying problem before it turns into a disaster.

Depending on your circumstances you might:

Ask your users to connect to the VPN by a certain deadline so you can capture their certificate information and disable any who haven't connected, or
If nothing mission-critical is at stake, disable all certificates and ask your users to contact you to re-enable their access.

Either way, you'll end up knowing exactly where each active certificate is.

Adam Liss 2008-11-11 18:42:42

Good ideas. They're probably not implementable in this particular situation, but I think you're still worth an upvote.

Craig Walker 2008-11-11 18:53:31

+1 A:

Whatever you decide to do, you should make sure it's not something you are going to have to do again the next time someone leaves.

It will probably also involve disturbing the other users because nobody thought about this up front.

The simplest might be to create a second layer of security, perhaps a password protected program that everyone has to run within a minute of logging in. If they don't run it, the system will kick them and tag their cert as questionable for you to review. If they do run it, it tags their cert as authorized and they shouldn't have to do it ever again.

Bill K 2008-11-11 18:46:24

Well, no matter what we'll have to adjust the permissions. I'm hoping that it'll be easy enough that it won't be a burden in the future.

Craig Walker 2008-11-11 18:51:45

Certificate Revokation appears to be the major method OpenVPN supports. In order to do this securely, you must be certain that you know about every signed certificate ever created. Perhaps some environments can rely on this, but we can't.

Therefor, the only sure way to allow only certain people onto the network is to reenerate the certificates (both server and client), reissue them, and then reconfigure all the clients. That's definitely an ugly process.

I think the best bet is to enable an alternative authentication method, use that to allow/restrict access, and not worry so much about revoking certificates.

Craig Walker 2008-11-11 19:38:14

+3 A:

You can restrict access by Common Name (CN).

Check the section of the OpenVPN docs that covers the ccd-exclusive option: create a "Client Configuration Directory" on the server and place a file in this directory for each valid user. Any user without a corresponding file will be denied access.

Adam Liss 2008-11-12 04:06:15

ansaurus

tags:

views:

answers:

Revoke OpenVPN Access

You can restrict access by Common Name (CN).

related questions