• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Openvpn allowing connection from deleted cert and user

Scheduled Pinned Locked Moved OpenVPN
4 Posts 3 Posters 656 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    salamander99
    last edited by Jan 5, 2023, 12:00 PM

    Hi,

    I'm testing pfsense & openvpn. Created a test user (system / user manager), created a cert and exported the config to OpenVPN connect.

    I find that specifying a certificate revocation list in openvpn server config prevents any client connecting (even with an empty revocation list) (problem 1) so need to make sure that I can deny clients when necessary.

    To do this, I deleted the user (in user manager) and deleted their certificate in cert manager.

    At this point, you'd expect that user to be unable to connect via the vpn but they can (problem 2).

    The only clue I've found is an nginx log entry when deleting the user -

    php-fpm 368 Local User Database: Successfully deleted user: vp_test
    nginx 2023/01/05 11:27:25 [crit] 20044#100593: *578 SSL_write() failed (13: Permission denied) while processing HTTP/2 connection, client: 192.168.104.2, server: 0.0.0.0:443

    PFsense version
    2.6.0-RELEASE (amd64)
    built on Mon Jan 31 19:57:53 UTC 2022
    FreeBSD 12.3-STABLE

    Hardware
    Intel(R) Celeron(R) J4125 CPU @ 2.00GHz
    Current: 2000 MHz, Max: 2001 MHz
    4 CPUs: 1 package(s) x 4 core(s)
    AES-NI CPU Crypto: Yes (active)
    QAT Crypto: No

    This seems like a pretty serious flaw - any pointers or help appreciated.

    Thanks

    V 1 Reply Last reply Jan 5, 2023, 12:37 PM Reply Quote 0
    • V
      viragomann @salamander99
      last edited by Jan 5, 2023, 12:37 PM

      @salamander99
      None of these issues is normal.
      Post your OpenVPN server settings, please.

      1 Reply Last reply Reply Quote 0
      • J
        jimp Rebel Alliance Developer Netgate
        last edited by Jan 5, 2023, 1:20 PM

        Deleting a certificate does not make it invalid, that's what a CRL is for. You have to revoke the certificate. Certificates are valid against a CA until they expire or are revoked (and checked against a specific CRL containing that revocation data).

        If a CRL prevents users from connecting you have configured something improperly, or may be hitting a bug such as https://redmine.pfsense.org/issues/13424. An empty CRL works OK so long as it's from the correct CA and isn't expired.

        You can install the System Patches package and then apply that CRL fix from the recommended patches list, then create a new CRL and see if that works.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        S 1 Reply Last reply Jan 5, 2023, 1:23 PM Reply Quote 0
        • S
          salamander99 @jimp
          last edited by Jan 5, 2023, 1:23 PM

          Thanks @jimp - I found bug 13424 referenced at https://blog.nuvotex.de/pfsense-crl-has-expired/ and the patch fixed it.

          1 Reply Last reply Reply Quote 1
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received