Now that you have a fully functional OpenVPN connection, it sure does give you a valid sense of security doesn't it? There are still a few more things you should know in order to extend what the software can do.
Revoking access: kicking out the riff raff
In a perfect world everyone you hired, or are collaborating with, would be gracious and understanding when you no longer require their services. Unfortunately allowing them access to your network after their departure is a serious security liability and is generally ill-advised unless you want all manner of company secrets to leak out long after they're gone.
Then there are those cases where a machine may have fallen into the wrong hands. Thankfully the process for removing the access privileges to your network takes a few easy steps. You'll likely want to know which client you want to stop accessing your server first and foremost, which you have been dutifully cataloging since you've begun using the software.
Open up your trusty command prompt and change the directory until you're in your OpenVPN's working easy-rsa directory. From there the first two commands you'll want to run are:
The requisite text scroll should inform you that the software has created a file called crl.pem which contains keys that you have chosen to prevent access to your OpenVPN server. You'll want to copy this file to a location that OpenVPN can access and add the following to your server's configuration file:
If everything has gone smoothly you'll have yourself a freshly secured server which is no longer accessible to those you've added to the crl file. For those users that keep a constant connection to the server you'll want to restart the server in order to sever any current links.
A quick tip lest ye forget: vars
There is a simple command to remember for future reference should you require the services of the key building functionality in OpenVPN, which you will, and it just happened to be mentioned earlier:
You won't be able to create any new keys for your clients without running it again and it's something that's easily forgotten, which will lead to quite a bit of lost time trying to track down errors in your installation before realizing that you need this simple command.
Continued from Page 1.
OpenVPN management options
Things can tend to get a bit confusing what with all of the command-line acrobatics in order to make OpenVPN do what you want it to do. What better way to ease your workload by enabling the management interface. You'll want to load the following line into your server, or client, configuration file:
management localhost ****
Where the asterisks are the port number you'd like the interface to run on. Once you have it loaded, you can freely telnet into the OpenVPN interface and run all manner of commands with the handy client kill command being a fan favorite should users get rowdy.
The one drawback is that by design (yeah, really) the management interface has no security layer covering it. It's highly advisable that you not attempt to make it remotely accessible to the Internet at large as some unscrupulous individual is sure to attempt to log in and cause all sorts of havoc over telnet.
As command-line centric as OpenVPN is there have been attempts to get some user friendliness injected into the works. Open-source projects such as OpenVPN Control, which you'll need to enable the management interface for, and OpenVPN Admin try, with varying degrees of success, to make the whole process a little less painful.
OpenVPN Admin does a commendable job attempting to wrangle the dizzying array of settings, keys, and ports so you don't have to. It provides the same visual aids OpenVPN GUI offers although it has its fair share of hitching and other unsightly delays which might just have you running back to the good old command-line and OpenVPN GUI mix.
That about covers our series on OpenVPN and how it can improve security for any application requiring remote access to your network. Managing it all may be a bit tedious, and the tool set to compliment the program isn't exactly there on the Windows OS front, but it's too powerful of an open-source option to pass up.
This article was first published on EnterpriseITPlanet.com.