It would be great to add user revocation and CRL management to it.
Otherwise people will still be able to connect to the VPN.
The ovpn_revokeclient CLI tool is already in place.
I guess we just have to add a revoke-user script and CRL secret.
I think the only downside is you'll need to restart the openvpn server instance to reprocess the CRL list.
We also need to add the --crl-verify option to the server config.
Perhaps it would make sense to enable this by default?
Even if the file is empty it will still allow connections
It would be great to add user revocation and CRL management to it.
Otherwise people will still be able to connect to the VPN.
The
ovpn_revokeclientCLI tool is already in place.I guess we just have to add a
revoke-userscript and CRL secret.I think the only downside is you'll need to restart the openvpn server instance to reprocess the CRL list.
We also need to add the
--crl-verifyoption to the server config.Perhaps it would make sense to enable this by default?
Even if the file is empty it will still allow connections