I am a long term OpenWRT and OpenVPN user, but new to this forum. I’m using OpenVPN as a server on my OpenWRT router. A few days ago I set up a new CA using an external EasyRSA lately and created all necessary certificates for OpenVPN usage. I also thought about a possibility to prohibit VPN access, if a device gets compromised or gets lots. As far as I know, a certificate revocation list comes into play to gain such functionality. Therefore, I created another OpenVPN client certificate for testing purposes only, set up an OpenVPN profile and tested, that a connection ca be established. Afterwards I revoked the certificate using EasyRSA and created a certificate revocation list. I uploaded the generated PEM file into my OpenWRT routers /etc/openvpn directory, verified file access rights and added option crl-verify ‘/etc/openvpn/crl.pem’ to my OpenVPN configuration. After restarting OpenVPN, I expected my router to ban client access using the formerly revoked test certificate, but that wasn’t the case - a connection was still possible und functioning properly. After many tests I am of the opinion, that my OpenVPN server completely ignores the crl-verify parameter in its config file, because I can enter invalid paths, filenames and even a wrong parameter name, OpenVPN doesn’t complain about it during startup or operation, not even when using verbose ‘9’.
I didn’t find any corresponding help in my many google searches, so I decided to describe my CRL related problem here hoping to get some help. Does anyone operate OpenVPN on OpenWRT using a CRL and does anyone encounter the same phenomenon, namely that OpenVPN seems to ignore the parameter? It’s also possible that I did understand things wrong.
thank you for your quick response. I verified file access rights again, no change in OpenVPNs behaviour. Then I followed the steps for inline notation, everything worked well, but again no change. OpenVPN doesn’t even mention strings ‘crl’ or ‘verify’ in its log using verbose 9. There is only one VERIFY string in OpenVPN’s log, saying VERIFY OK: depth=0, CN=… It seems, it’s completely ignoring this parameter.
OpenWRT version is 19.7.04 and OpenVPN version is 2.4.7.
You're adding it directly to your openvpn.conf or are you using UCI?
I'm pretty sure the OpenVPN init script rebuilds the OpenVPN conf file and may be torching your config?
I tried both ways, no change. My OpenVPN config file is /etc/config/openvpn, as it was initially allocated and placed during OpenVPN installation via opkg install.
Oh I see what you mean, I think. Do you possibly mean /tmp/etc/openvpn-ovpn-server-....conf? There is no crl-verfiy or a similar parameter mentioned, every other parameter is included correctly.
success, your hint worked! I used ‘crl-verify’ in config file, which didn’t work (but OpenVPN didn’t complain about it). Using ‘crl_verify’ changed its behaviour, it was recognized by OpenVPN and now my test connection using the revoked certificate is rejected. THANK YOU very much!