Scott's picture

Greetings all!

Quick question - regarding accounts in OpenVPN.

I know that when you want to disallow access for a user you can use the revoke option.

But, what if you want an existing user to get a new profile?

Or what if you want (for the sake of housecleaning) want to remove a profile.

A situation may be that a user has left that had administrative access to other users profiles, and we want to re-gen them for the other users.

Also, we have a number of old users that we would like to remove (not just revoke).


Jeremy Davis's picture

So TBH I'm probably not a lot of use to you...

Having said that, other than our helper scripts, under the hood it's a default OpenVPN Debian install. So from my quick googling, once you revoke the user keys, that actually deletes the keys.

I'm guessing from your question that even after the keys have been revoked (essentially removing the user's access) that there is still some sort of profile that remains. Assuming that you know where it is, perhaps it's as simple as just deleting the relevant files.

I guess if all else fails, you can always read the upstream docs!?

Personally, in similar situations, I'm a big fan of testing this sort of stuff using a VM. If you want to test with real world data, you could do a TKLBAM restore. In this case, you probably don't even need to do that.

I would be inclined to set up a clean OpenVPN VM, get it running then add a couple of users, check they work, then remove one (as I hint above) and see what happens. If it breaks stuff for the other user, then you know that's bad. If it all checks out, then you can redo it on your production server.

Jeremy Davis's picture

I just had a quick look at the code included in the OpenVPN appliance and it looks like, once you have revoked the cert, you can clean up the profile with this script: /var/www/openvpn/bin/delexpired

Add new comment