User account

running

Hey guys, i would like te create a OpenVPN for a client with 5 VPN accounts, and i am wondering how do i disable 1 or another if an employee leaves the company in the future?

Is they're a way to deactivate an account?

If not what would be a good way to do it?

GruensFroeschli

http://openvpn.net/howto.html#revoke

running

Thank's

running

I thank you to quick ;)

I did not tried it and can't find where/how to enter this command in PFsense web interface

Thnak's again for the help!

GruensFroeschli

You execute the revoke command on your CA.
then you copy/paste the crl-file into the crl-field on the config-page.

running

First i run Windows and Mac and i have some question to ask as i am not familiar wit BSD/Linux

Can i do it directly on the pfsense box and how?

• If i want to configure PFsense for different customer, how would i be able to do the certificate for different box at different time? From what i have tested, it is always creating the certificate in the same folder.
  If i want to do another client box, what do i do wit the first certificate and how to get back to it if say i want to create another client or as you mention revoke a certificate?

I have also look at this post with seem easy, but is can't figure out how to recover the created files… :o
Would that be easier to do it from the Pfsense box itself?

I hope i am not to difficult with my question and i appreciate all the help this forum is providing!

GruensFroeschli

So you never actually created key/certificate-pairs for multiple clients?
Unless you're so far it's not much use to explain how to revoke a client.

Read in the howto's on http://openvpn.net/ on how to set up a CA and multiple clients.

running

I don't think i am explaining myself very well (sorry english is not my primary language)

I don't want to create different certificat on the same firewall but on different machine for different cleint.

I am using watchguard and want to switch to PFsense for more otion, but i am not to good at Linux/BSD…

I am able to creat and make functional an openvpn on pfsense but i looks to be more complicated than my knowledge permit for more advance option.

I wish i could make this worke for me (see below). It seems to be the fastest and less complicated route for me (and all othe newbe)
etch -o - http://www.pfsense.com/~sullrich/tools/easyrsa.txt | /bin/sh

This will populate /root/easyrsa4pfsense
Afterwards the script will create /root/easyrsa4pfsense/keys/ca.crt , etc mentioned in the openvpn doc wiki.
If you would like to create additional client certificates simply do this:
cd /root/easyrsa4pfsense
./build-key clientXXXX    # where XXXX is the client number
How do i get the created certificat after the command is done? (may seem simple to you but not to me ) ???

My question was:
In windows when i create a CR it is place in the easy-rsa Kea folder.
If i need to create another one for another box, want to do not to loos the first one if i need to go back and create another client or revoke one?

Sorry again if i am not clear ant that you i you can help!

GruensFroeschli

You could access it via the "Diagrnostics–>edit" file and ctrl-c/ctrl-v it out.
But probably a better way would be "Diagnostics-->Command Prompt" and just download the file directly.

My question was:
In windows when i create a CR it is place in the easy-rsa Kea folder.
If i need to create another one for another box, want to do not to loos the first one if i need to go back and create another client or revoke one?

You really should read the howto's on http://openVPN.net
If you create a new key/certificate pair you dont loose the already created pairs.
And if you revoke one pair you wont loose all the others.

Or are you talking about running multipe CA's one a single machine?

johii

Try drawing a diagram of how you want it to be setup then we might understand it better but I'm no Linux/BSD hawk but still managed to set it up. with different user accounts, you don't need to create the .ca's in the pfsense box you can create them on a different one aslong as ALL of your .ca's are created on the same computer(no exception).