I am a long term OpenWRT and OpenVPN user, but new to this forum. I’m using OpenVPN as a server on my OpenWRT router. A few days ago I set up a new CA using an external EasyRSA lately and created all necessary certificates for OpenVPN usage. I also thought about a possibility to prohibit VPN access, if a device gets compromised or gets lots. As far as I know, a certificate revocation list comes into play to gain such functionality. Therefore, I created another OpenVPN client certificate for testing purposes only, set up an OpenVPN profile and tested, that a connection ca be established. Afterwards I revoked the certificate using EasyRSA and created a certificate revocation list. I uploaded the generated PEM file into my OpenWRT routers /etc/openvpn directory, verified file access rights and added option crl-verify ‘/etc/openvpn/crl.pem’ to my OpenVPN configuration. After restarting OpenVPN, I expected my router to ban client access using the formerly revoked test certificate, but that wasn’t the case - a connection was still possible und functioning properly. After many tests I am of the opinion, that my OpenVPN server completely ignores the crl-verify parameter in its config file, because I can enter invalid paths, filenames and even a wrong parameter name, OpenVPN doesn’t complain about it during startup or operation, not even when using verbose ‘9’.
I didn’t find any corresponding help in my many google searches, so I decided to describe my CRL related problem here hoping to get some help. Does anyone operate OpenVPN on OpenWRT using a CRL and does anyone encounter the same phenomenon, namely that OpenVPN seems to ignore the parameter? It’s also possible that I did understand things wrong.
Thank you and regards