Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn allowing connection from deleted cert and user

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 665 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      salamander99
      last edited by

      Hi,

      I'm testing pfsense & openvpn. Created a test user (system / user manager), created a cert and exported the config to OpenVPN connect.

      I find that specifying a certificate revocation list in openvpn server config prevents any client connecting (even with an empty revocation list) (problem 1) so need to make sure that I can deny clients when necessary.

      To do this, I deleted the user (in user manager) and deleted their certificate in cert manager.

      At this point, you'd expect that user to be unable to connect via the vpn but they can (problem 2).

      The only clue I've found is an nginx log entry when deleting the user -

      php-fpm 368 Local User Database: Successfully deleted user: vp_test
      nginx 2023/01/05 11:27:25 [crit] 20044#100593: *578 SSL_write() failed (13: Permission denied) while processing HTTP/2 connection, client: 192.168.104.2, server: 0.0.0.0:443

      PFsense version
      2.6.0-RELEASE (amd64)
      built on Mon Jan 31 19:57:53 UTC 2022
      FreeBSD 12.3-STABLE

      Hardware
      Intel(R) Celeron(R) J4125 CPU @ 2.00GHz
      Current: 2000 MHz, Max: 2001 MHz
      4 CPUs: 1 package(s) x 4 core(s)
      AES-NI CPU Crypto: Yes (active)
      QAT Crypto: No

      This seems like a pretty serious flaw - any pointers or help appreciated.

      Thanks

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @salamander99
        last edited by

        @salamander99
        None of these issues is normal.
        Post your OpenVPN server settings, please.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Deleting a certificate does not make it invalid, that's what a CRL is for. You have to revoke the certificate. Certificates are valid against a CA until they expire or are revoked (and checked against a specific CRL containing that revocation data).

          If a CRL prevents users from connecting you have configured something improperly, or may be hitting a bug such as https://redmine.pfsense.org/issues/13424. An empty CRL works OK so long as it's from the correct CA and isn't expired.

          You can install the System Patches package and then apply that CRL fix from the recommended patches list, then create a new CRL and see if that works.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          S 1 Reply Last reply Reply Quote 0
          • S
            salamander99 @jimp
            last edited by

            Thanks @jimp - I found bug 13424 referenced at https://blog.nuvotex.de/pfsense-crl-has-expired/ and the patch fixed it.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.