Create a client-config-dir for your server by adding the client-config-dir /path/to/ccd/from/cert-manager
and and `ccd-exclusive' options to your openvpn-server configuration.
This will allow you to use the generated client config from the certificate manager in OpenVPN to assign static IPs and prevent logins from unauthenticated users - even if they have a valid certificate otherwise.
The configs should look like this:
ifconfig-push 172.16.1.10 255.255.255.0
ifconfig-ipv6-push fd2a:aef:608:1::1010/64
If you want these config to adhere to the rules laid out in the web interface, you will have to add the appropriate netfilter-rules though, for example:
iptables -A FORWARD -s 172.16.1.1/32 -i NAME_OF_YOUR_VPN_DEVICE -j ACCEPT
iptables -A FORWARD -s 172.16.1.0/29 -i NAME_OF_YOUR_VPN_DEVICE -j ACCEPT
iptables -A FORWARD -s 172.16.1.20/29 -d 172.16.1.0/24 -i NAME_OF_YOUR_VPN_DEVICE -j DROP
Also make sure that you have forwarding enabled:
sysctl -a | grep forward
If you want to use the experimental integration of the OpenVPN management interface, enable the interface by adding management 127.0.0.1 23000 pass.txt
to your OpenVPN-server configuration and add a file pass.txt
in the OpenVPN-root directory with a single line and no newline containing a password.
Configure the password and server settings in the certificate-manager via the app.config-VPN* variables.
You can put a Nginx config file containing maps here (or link to it).
map $ssl_client_s_dn $allow_group_main {
default "";
~CN=Sheppy true;
~CN=Kathi true;
}
map $ssl_client_s_dn $allow_group_ths {
default "";
~OU=THS true;
}
..to display information about permission in the /cert-info
location.
With this map you can set headers in Nginx to be used for authentication later. For example like this:
proxy_set_header X-Nginx-Cert-Auth $allow_group_main
.. and use them in other applications or also in Nginx itself to for example bypass basic auth:
map $http_x_nginx_cert_auth $basic_auth_val {
default "private";
true off;
}
location /auth/{
auth_basic $basic_auth_val;
auth_basic_user_file /etc/nginx/htpasswd;
}
For Nginx the CRL option is:
ssl_crl /path/to/crl/file.pem
For OpenVPN it is
crl-verify /path/to/crl/file.pem
Neither of these services need to be reloaded, but the CRL will only be checked for new connections. If you have configured the OpenVPN-Management integration the clients will automatically be disconnected if their certificate is revoked via the interface (but not if you revoke the certificate manually).