OpenVPN server seems to ignore crl-verify parameter

Hello,

I am a long term OpenWRT and OpenVPN user, but new to this forum. I’m using OpenVPN as a server on my OpenWRT router. A few days ago I set up a new CA using an external EasyRSA lately and created all necessary certificates for OpenVPN usage. I also thought about a possibility to prohibit VPN access, if a device gets compromised or gets lots. As far as I know, a certificate revocation list comes into play to gain such functionality. Therefore, I created another OpenVPN client certificate for testing purposes only, set up an OpenVPN profile and tested, that a connection ca be established. Afterwards I revoked the certificate using EasyRSA and created a certificate revocation list. I uploaded the generated PEM file into my OpenWRT routers /etc/openvpn directory, verified file access rights and added option crl-verify ‘/etc/openvpn/crl.pem’ to my OpenVPN configuration. After restarting OpenVPN, I expected my router to ban client access using the formerly revoked test certificate, but that wasn’t the case - a connection was still possible und functioning properly. After many tests I am of the opinion, that my OpenVPN server completely ignores the crl-verify parameter in its config file, because I can enter invalid paths, filenames and even a wrong parameter name, OpenVPN doesn’t complain about it during startup or operation, not even when using verbose ‘9’.

I didn’t find any corresponding help in my many google searches, so I decided to describe my CRL related problem here hoping to get some help. Does anyone operate OpenVPN on OpenWRT using a CRL and does anyone encounter the same phenomenon, namely that OpenVPN seems to ignore the parameter? It’s also possible that I did understand things wrong.

Thank you and regards

1 Like

Make sure that permissions on the parent directory and CRL file allow the OpenVPN process to access it, or use the inline notation:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#multi-client

By the way, it works for me:

1 Like

Hello,

thank you for your quick response. I verified file access rights again, no change in OpenVPNs behaviour. Then I followed the steps for inline notation, everything worked well, but again no change. OpenVPN doesn’t even mention strings ‘crl’ or ‘verify’ in its log using verbose 9. There is only one VERIFY string in OpenVPN’s log, saying VERIFY OK: depth=0, CN=… It seems, it’s completely ignoring this parameter.
OpenWRT version is 19.7.04 and OpenVPN version is 2.4.7.

Regards

1 Like

You're adding it directly to your openvpn.conf or are you using UCI?
I'm pretty sure the OpenVPN init script rebuilds the OpenVPN conf file and may be torching your config?

2 Likes

Hello,

I tried both ways, no change. My OpenVPN config file is /etc/config/openvpn, as it was initially allocated and placed during OpenVPN installation via opkg install.
Oh I see what you mean, I think. Do you possibly mean /tmp/etc/openvpn-ovpn-server-....conf? There is no crl-verfiy or a similar parameter mentioned, every other parameter is included correctly.

Regards

The syntax for OpenVPN native configs and UCI configs differs.
Be sure to use the proper option name:

2 Likes

Hello,

success, your hint worked! I used ‘crl-verify’ in config file, which didn’t work (but OpenVPN didn’t complain about it). Using ‘crl_verify’ changed its behaviour, it was recognized by OpenVPN and now my test connection using the revoked certificate is rejected. THANK YOU very much!

Best regards

2 Likes

Been caught by the syntax change myself. :upside_down_face:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.