OpenVPN and crl-verify option

Report wireless and/or network connectivity problems in this forum.

Moderator: Moderators

Post Reply
marcinkk
Posts: 15
Joined: Sun Mar 05, 2017 5:09 pm

OpenVPN and crl-verify option

Post by marcinkk »

Hello,

The case concerns: Gargoyle 1.14 and OpenVPN

If I understood correctly what happened, it works like this:

I remove one of the OpenVPN clients which causes two lines to be added to /etc/config/openvpn:

Code: Select all

option tls_verify '/usr/lib/gargoyle/ovpn-cn-check.sh /etc/openvpn/verified-userlist'
option crl_verify '/etc/openvpn/crl.pem'
Then after restarting the OpenVPN server, the following lines are added to the /etc/openvpn/server.conf file:

Code: Select all

crl-verify /etc/openvpn/crl.pem
tls-verify "/usr/lib/gargoyle/ovpn-cn-check.sh /etc/openvpn/verified-userlist"
And everything works fine, except I came across a problem of this type, that from one day to the next all my clients stopped connecting and the active connection stopped working. It turned out that the reason was an outdated file /etc/openvpn/crl.pem. The solution was to log into the router, and add and remove the client, which renewed the crl.pem file:

Code: Select all

Last Update: Feb 15 21:56:58 2025 GMT
Next Update: Aug 14 21:56:58 2025 GMT
And finally I get to the heart of the problem:

If the server has been running for over half a year and there was no need to add clients, the crl.pem file becomes outdated from one day to the next and it is impossible to connect to the server.

The solution is probably to log into the router to add and remove the client from time to time (let's say every 4 months), but maybe this renewal of the crl.pem file can be organized somehow in cron?

Best regards,
Marcin
Top
Lantis
Moderator
Posts: 7063
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: OpenVPN and crl-verify option

Post by Lantis »

You are 100% correct.
I also have run into this, and have implemented a back end function to fix it a few months ago.
https://github.com/ericpaulbishop/gargo ... 46c06fb5be

I have not yet built a front end button to trigger it. It’s coming!
Thanks for posting the workaround in the meantime.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
Top
marcinkk
Posts: 15
Joined: Sun Mar 05, 2017 5:09 pm

Re: OpenVPN and crl-verify option

Post by marcinkk »

Thanks for the fix.

I applied it to my openvpn.sh and added the following to crontab:

Code: Select all

30 5 1 1,3,5,7,9,11 * . /usr/lib/gargoyle/openvpn.sh && generate_crl
Looks like it works :)
Top
Lantis
Moderator
Posts: 7063
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: OpenVPN and crl-verify option

Post by Lantis »

Just double check you might also need to do an OpenVPN restart to read the new file? I’m not sure.
It will momentarily boot any connected clients so early in the morning (as you currently have it) is a good choice.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
Top
Post Reply

Return to “Network / Wireless Issues”