OpenVPN吊销用户和增加用户(3)

系统运维 2023-07-15 Escape 手机阅读
Scan me!

增加用户:如果你不是第一次创建用户,只需要source ./vars即可

[root@node 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys
[root@node 2.0]# ./build-key mark
Generating a 1024 bit RSA private key

如果你没有关闭此链接终端,在添加只需要./build-key 用户即可

吊销证书:

[root@node 2.0]# ./revoke-full mark
Using configuration from /usr/local/openvpn-2.1.2/easy-rsa/2.0/openssl.cnf
Revoking Certificate 03.
Data Base Updated
Using configuration from /usr/local/openvpn-2.1.2/easy-rsa/2.0/openssl.cnf
mark.crt: C = CN, ST = shanghai, L = Shanghai, O = Fort-Funston, CN = mark, emailAddress = usertzc@163.com
error 23 at 0 depth lookup:certificate revoked
[root@node 2.0]#

吊销完成会生成crl.pem

[root@node keys]# cat crl.pem 
-----BEGIN X509 CRL-----
MIIBVzCBwTANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJDTjERMA8GA1UECBMI
c2hhbmdoYWkxETAPBgNVBAcTCFNoYW5naGFpMRUwEwYDVQQKEwxGb3J0LUZ1bnN0
b24xEDAOBgNVBAMTB2xpbnV4ZWExHjAcBgkqhkiG9w0BCQEWD3VzZXJ0emNAMTYz
LmNvbRcNMTYwMzEzMTEyMDQ1WhcNMTYwNDEyMTEyMDQ1WjAUMBICAQMXDTE2MDMx
MzExMjA0NVowDQYJKoZIhvcNAQEEBQADgYEAR+GRn1ckiFrTh0A8joXCxu0tJMnw
tQzr4VFEJRTxoe5K4CAXgyKdmuDLgoMCMJkCuc4ltlqVIN5KSBSGE3xwhTVeopiY
GJZkkW5KEpOW7rqrTnzttQpw5jzhsAedoL8E/EBcUvPtYOXCc1tUx81B/ThV8CQS
iotOPDXuqdLK/dw=
-----END X509 CRL-----
[root@node keys]#

查看已经吊销的:(R)

[root@node keys]# cat index.txt
V    260308144601Z        01    unknown    /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=server/emailAddress=usertzc@163.com
V    260308145051Z        02    unknown    /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=linuxeacom/emailAddress=usertzc@163.com
R    260311112004Z    160313112045Z    03    unknown    /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=mark/emailAddress=usertzc@163.com
[root@node keys]#

而后在配置文件夹加上如下:vim server.confcrl-verify /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys/crl.pem

当然,你也可以这样

crl-verify /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys/*.pem

只要是keys下的以pem结尾的pem,则全部都掉线

修改完成后reload或者restart openvpn

/etc/init.d/openvpn reload
/etc/init.d/openvpn restart
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
具体如下:
cp keys/crl.pem /etc/openvpn/keys/
echo 'crl-verify /etc/openvpn/keys/crl.pem' >>/etc/openvpn/server.conf
tail -2 /etc/openvpn/server.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

重启vpn服务

/etc/init.d/openvpn restart

重启后图标就绿不了了

不重启和reload的,只需要在将备份的pem文件覆盖吊销后的文件即可:

[root@node keys]# cp crl.pem /tmp/crl.pem.1
[root@node 2.0]# ./revoke-full mark1
[root@node keys]# cat /tmp/crl.pem.1 >> crl.pem

取消吊销人员注释掉crl-verify /etc/openvpn/keys/crl.pem重启服务即可,如果需要单个取消,则吊销每个人员时候需要将吊销后插上的Pem文件特殊存放在单独的文件夹内,在配置文件中添加多行,每行指定一个人员即可,如:1,./revoke-full mark后会产生一个pem文件2,新建以吊销用户为命名文件夹,将pem复制进去mkdir /etc/openvpn/keys/markcp /etc/openvpn/kyes/crl.pem ./mark3,在配置文件中定义vim server.conf/etc/openvpn/keys/mark/crl.pem图片.png