ordex
commented
3 months ago OpenVPN authenticates users by using the X509 / PKI logic. This means that as long as the clients owns a valid cert/key that is signed by your CA it will always be able to connect, regardelss of you deleting your local copy of its key/cert.
In the PKI world, if you want to invalidate a certificate, you must revoke it by publishing it on the CRL. So you must create a CRL containing the user certificate ID.
Did you use easy-rsa to create your PKI? If yes, then easy-rsa should be able to help you revoking a cert and creating a CRL.
Once you have created the CRL, you have to feed it to the server via the crl-verify directive.
I am using OpenVPN open-source community version. OpenVPN version is 2.4.6 and its installed on Amazon Linux 2 OS.
I do not have GUI or commands like sacli installed. I couldn't install the command sacli either hence I deleted all of the user related files such as key, crt, ovpn and the user entry from the db file index.txt in order to remove the user account.
Later I found that the user was still able to login using his openvpn credentials and the ovpn file.
Can someone please guide me the right steps to ensure this does not happen in future. Also how to install openvpn commands like sacli on CentOS / amazon linux 2? Will having an UI help here and how can we have the UI working?
regards, Siddharth R