Revoke a valid certificate about openvpn-admin-plus HOT 8 CLOSED

@karabelnikov

Is the screenshot you sent me from another fork of the original openvpn-web-ui project? If so, which fork? I like this approach for revocation.

from openvpn-admin-plus.

@bnhf

This is not a fork, it's just a bit of my imagination and a couple of actions in the web browser inspector :)) 😎
In fact, it's not difficult to implement, you need to add the same html block as for issuing the certificate, make a script for verification and bind it to the action of the revocation button with the variable "name" in the field.
And it will work.

from openvpn-admin-plus.

@karabelnikov

I've implemented a certificate revocation and removal capability in OpenVPNAdmin. Give it a try when you have a chance. I'll include a suggested Docker compose below, as you won't be able to pull it using the Github method. Make sure you supply the required environment variables at the bottom of your Portainer Stack as well.

version: '3'
services:
  gui:
    image: bnhf/pivpn-tap-web-ui:beta
    container_name: openvpn-gui-tap
    environment:
      - OPENVPN_ADMIN_USERNAME=admin
      - OPENVPN_ADMIN_PASSWORD=b3secure
      - COUNTRY=${COUNTRY}
      - PROVINCE=${PROVINCE}
      - CITY=${CITY}
      - ORG=${ORG}
      - EMAIL=${EMAIL}
      - OU=${OU}
      - PIVPN_SERVER=${PIVPN_SERVER}
      - PIVPN_CONF=${PIVPN_CONF}
      - TZ=${TZ}
    ports:
      - "8080:8080/tcp"
    restart: always
    volumes:
      - /etc/openvpn:/etc/openvpn
      - ./openvpn-data/db:/opt/openvpn-gui-tap/db

from openvpn-admin-plus.

@karabelnikov

I've made a couple of changes already you won't see in the Beta. The missing value for "Common Name" aka "CN" has been fixed. Also, I decided to change the button color for downloading revoked certificates from green to red, to more accurately reflect their state.

I'm still trying to figure out a way to get the main page to update "automagically" when a client disconnects, but OpenVPN itself seems to be slow to recognize that event and assumes the client is trying to reconnect. That'll probably end up being a future upgrade. Also, I have the home page set to auto refresh every 20 seconds, which at least keeps the time more current.

from openvpn-admin-plus.

@bnhf

Hi! Great job!
During this time, I made some cosmetic edits to the html pages and my css file in the Docker container. Then I made a copy of the openvpn-gui-tap folder from the container to my host machine. I also changed the file templates for myself .tpl for server and clients.

Now I make all the changes to the Docker container itself and then make a backup copy of these files to the host. I just updated the pivpn-tap-web-ui binary and the file certificates.html from your new beta container and this will work for me! I also changed the page a bit certificates.html for myself, I attach a screenshot. But there is one problem, when the certificate is revoked, then for some reason the crl.pem certificate revocation list is not updated because of this, the client can connect again, even after restarting the OpenVPN service.

When revoking, the file is first updated along the path /etc/openvpn/easy-rsa/pki/crl.pem, and then the crl.pem file must be copied to the /etc/openvpn folder for the OpenVPN service to read it. But for some reason, after the review via the web interface, the crl.pem file is not updated anywhere. Can you check it yourself? After the recall, the client is connected exactly.

Regarding the monitoring of clients on the main page, I also want to insert a js script for automatic page updates every 30 seconds. Is there a way to make the clients' connections display in real time??? It would be nice!

from openvpn-admin-plus.

@karabelnikov

Looks like I missed a step, which is to generate an updated crl.pem -- do you agree? Also, I believe with the latest version of easy-rsa that file should be generated in, and remain in, /etc/openvpn/easy-rsa/pki. So the server.conf crl-verify directive will need to be changed to have that new path in the template.

from openvpn-admin-plus.

@bnhf

Yes, I agree, you probably missed the step that creates the crl.pem file in /etc/openvpn/easy-rsa/pki
Friend, I repeat, I use a script https://github.com/angristan/openvpn-install for auto installation of OpenVPN. This script copies the files ca.crt, ca.key, server_nameXXX.crt, server_nameXXX.key and ta.key to the /etc/openvpn folder for the convenience of the script. But reading these files is only available from under root. So that it does not violate the security policy. It doesn't matter, in fact, where the files were located, access to them only by root.

Can you add the code so that the crl.pem file is also copied to the /etc/openvpn folder??? This will ensure compatibility with my installation. I would be very grateful to you. Waiting for an update :))

I will also open another thread to discuss another issue, which is related to issuing a certificate and specifying an access password. Through the script, I have 2 options to create a certificate, without specifying a password when connecting and with a connection password. The web interface does not have such a function. I will create a new task so that we can solve this issue with you.
Thanks!

from openvpn-admin-plus.

@karabelnikov

I'm fairly confident this issue has been sorted out -- so I've merged the code such that beta and latest are now the same.

I'm glad this project is working out for you as it is. However, I do want to re-emphasize that this small project is designed for use with OpenVPN server installations using the PiVPN script. I won't be making any changes or additions, unless they conform to what PiVPN does for their installation standards.

As it happens, PiVPN looks to be installing crl.pem in both /etc/openvpn/easy-rsa/pki and /etc/openvpn -- likely for some backward compatibility. So, the current revocation routine is revoking via easyrsa, generating a new /etc/openvpn/easy-rsa/pki/crl.pem file and duplicating it in /etc/openvpn.

from openvpn-admin-plus.