User account



  • Hey guys, i would like te create a OpenVPN for a client with 5 VPN accounts, and i am wondering how do i disable 1 or another if an employee leaves the company in the future?

    Is they're a way to deactivate an account?

    If not what would be a good way to do it?





  • Thank's



  • I thank you to quick ;)

    I did not tried it and can't find where/how to enter this command in PFsense web interface

    Thnak's again for the help!



  • You execute the revoke command on your CA.
    then you copy/paste the crl-file into the crl-field on the config-page.



  • First i run Windows and Mac and i have some question to ask as i am not familiar wit BSD/Linux

    Can i do it directly on the pfsense box and how?

    • If i want to configure PFsense for different customer, how would i be able to do the certificate for different box at different time? From what i have tested, it is always creating the certificate in the same folder.
      If i want to do another client box, what do i do wit the first certificate and how to get back to it if say i want to create another client or as you mention revoke a certificate?

    I have also look at this post with seem easy, but is can't figure out how to recover the created files… :o
    Would that be easier to do it from the Pfsense box itself?

    I hope i am not to difficult with my question and i appreciate all the help this forum is providing!



  • So you never actually created key/certificate-pairs for multiple clients?
    Unless you're so far it's not much use to explain how to revoke a client.

    Read in the howto's on http://openvpn.net/ on how to set up a CA and multiple clients.



  • I don't think i am explaining myself very well (sorry english is not my primary language)

    I don't want to create different certificat on the same firewall but on different machine for different cleint.

    I am using watchguard and want to switch to PFsense for more otion, but i am not to good at Linux/BSD…

    I am able to creat and make functional an openvpn on pfsense but i looks to be more complicated than my knowledge permit for more advance option.

    I wish i could make this worke for me (see below). It seems to be the fastest and less complicated route for me (and all othe newbe)
    etch -o - http://www.pfsense.com/~sullrich/tools/easyrsa.txt | /bin/sh

    This will populate /root/easyrsa4pfsense
    Afterwards the script will create /root/easyrsa4pfsense/keys/ca.crt , etc mentioned in the openvpn doc wiki.
    If you would like to create additional client certificates simply do this:
    cd /root/easyrsa4pfsense
    ./build-key clientXXXX    # where XXXX is the client number

    How do i get the created certificat after the command is done? (may seem simple to you but not to me ) ???

    My question was:
    In windows when i create a CR it is place in the easy-rsa Kea folder.
    If i need to create another one for another box, want to do not to loos the first one if i need to go back and create another client or revoke one?

    Sorry again if i am not clear ant that you i you can help!



  • You could access it via the "Diagrnostics–>edit" file and ctrl-c/ctrl-v it out.
    But probably a better way would be "Diagnostics-->Command Prompt" and just download the file directly.

    My question was:
    In windows when i create a CR it is place in the easy-rsa Kea folder.
    If i need to create another one for another box, want to do not to loos the first one if i need to go back and create another client or revoke one?

    You really should read the howto's on http://openVPN.net
    If you create a new key/certificate pair you dont loose the already created pairs.
    And if you revoke one pair you wont loose all the others.

    Or are you talking about running multipe CA's one a single machine?



  • Try drawing a diagram of how you want it to be setup then we might understand it better but I'm no Linux/BSD hawk but still managed to set it up. with different user accounts, you don't need to create the .ca's in the pfsense box you can create them on a different one aslong as ALL of your .ca's are created on the same computer(no exception).


Log in to reply