Wednesday, October 23, 2013

Revoke/Unrevoke a client certificate in OpenVPN

Source: http://blog.abhijeetr.com/2012/06/revokeunrevoke-client-certificate-in.html

REVOKING

To revoke the access of a client, the first method will be to use the Client Revocation List. For that, go to easy_rsa directory & execute (where cname is the one which you want to disable)


# source ./vars
# ./revoke-full cname


Then move the file crl.pem created in keys folder to the /etc/openvpn/ folder. Finally, edit the server.conf & add the following line.

crl-verify crl.pem

The above file is append-only file & re-read every time a client connects to the server so there is no need to restart the server next time you overwrite the file.


 UNREVOKING

Now coming on the un-revoking part, I tried asking the above question on serverfault & came to know that un-revoking of certificate should generally not be done.

But, even then if you want to do that I will quote the guy:
in your CA folder, there should be an index.txt, with certificate IDs in it. The ones starting with "V" are valid, and ones with "R" are revoked. You can edit that file, and fix the first char to "V", and delete the third column (the revocation date). If you have more then one certificate, you should see the pattern (sequential number comes in the third column now, etc).
Then you just need to regenerate the CRL again, and it should work.

To regenerate the CRL file again, execute the following two commands in the easy_rsa directory:

source ./vars
openssl ca -gencrl -out "crl.pem" -config "$KEY_CONFIG"'


If the revoke command fails read this bug report...
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/231199
Posted by at No comments:
Labels: , , ,

Thursday, September 19, 2013

Update for my "IPTABLES for transparent Squid"

Ahoy! On my old post on TRANSPARENT SQUID there is an existing problem where https or port 443 can get through because SQUID does not cache SSL. Try visitng https://www.google.com from my old configuration and see that it can pass thru.

Here on my post I added this config from my previous post to block certain IP range or non-internet users group. Place the rule below the "DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy".

# Sample of IP range to be blocked
$ipt -t nat -A PREROUTING -i $LAN -m iprange --src-range 192.168.1.200-192.168.1.250 -p tcp --dport 443 -j DNAT --to 192.168.1.1:3128
$ipt -A FORWARD -p tcp -i $LAN -m iprange --src-range 192.168.1.200-192.168.1.250 --dport 443 -j REJECT

After this all https request from the IP range declared above will be rejected.

Note that If a certain application needs to connect to an SSL connection but the user is in the blocked list you will need to manually hand code the proxy IP to the client PC application and add to the SQUID rules the url that needs to be given access. This way the server will be the one giving SSL connection thru proxy and we can retain the transparent proxy configuration.
Posted by at No comments:

Friday, April 12, 2013

Reset NIC in Win7

I posted this because sometimes the NIC/LAN card does not work out of the box. The problem that I encountered is that Win7 says that there are no Internet connection on the network, though all are fine.
After a restart (disable and enable) of the NIC the Internet starts working.

I would like to do this automatically so I created a batch file and I name it "lanreset.bat". Below are the contents...

@echo off
wmic path win32_networkadapter where NetConnectionID="LAN" call disable
wmic path win32_networkadapter where NetConnectionID="LAN" call enable

Just replace the blue colored text with the name of the NIC.
Put it in the Task Scheduler where it would run in on startup so that it would execute.
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)