No1's picture

Dears

I'm total noob, I've running turnkey - it works, but I need to include in .ovpn also local DNS + local domain. I've tried to add manually to .ovpn

script-security 2                                                                                                       
dhcp-option DNS 192.168.1.1                                                                                          
dhcp-option DOMAIN my-domain.local

but ping to computername, or computername.my-domain.local doesn't work (Mac OS). Any help?

 

2) there is a command openvpn-addclient and also for revoke certificates. But during testing I've created a lot of users.... how to comepletely remove them? 

 

thanks Zdeněk

Forum: 
Tags: 
Jeremy Davis's picture

TBH, I'm not really clear on what you are trying to achieve?! Nor how you currently have things set up. Also, please note that I'm certainly no OpenVPN expert but I'll do my best to help out...

It's also worth noting that whilst we pre-configure OpenVPN and include some helper scripts (such as the add-client script) to ease the initial setup and config, TurnKey is based on Debian (v15.x = Debian 9/Stretch) and OpenVPN is provided via the default Debian OpenVPN package. So you might find the OpenVPN manual useful, as well as the OpenVPN wiki.

Regarding your first question, it might also be useful to post on the OpenVPN community forums for assistance with the intricacies of your specifically desired OpenVPN config (even though your questions are related to the client, you'll still want the Server section section; most likely, the Server Config subforum ).

With regards to your question re removing clients, if you wish to revoke the certificates, so that those clients can't be used, then the OpenVPN docs covers that.

The only other additional info you should need re our implmentation is that the "easy-rsa directory" is /etc/openvpn/easy-rsa.

To force that to be applied immediately (and not just next time a client connects) you'll also need to restart the OpenVPN server; like this:

service openvpn restart

I don't have one here in front of me, so there is a possibility that it's named something slightly differently. So if the above doesn't work or gives and error, please try using "tab complete" on the "openvpn" part of above (i.e. type "service openvpn" then hit the tab key to autocomplete it; you may need to hit tab twice).

So the summarise, please feel free to post back with a bit more info on your setup and exactly what you re trying to achieve and I'll do my best. However, it's probably worth posting over on the OpenVPN forums too (providing the same info; plus that the server is running Debian 9/Stretch using the default v2.4.0 Debian package). If you do open a thread there, please post a link here to so I can see how things go - and hopefully learn something... :)

No1's picture

Dear Jeremy

thanks for tying help. The idea is simple:
- via openvpn I'm trying to connect to Windows Domain (to Remote Desktop server). And I would like to connect to server via domain naime of computer insetad (server_name..domain) of IP. But the name is registred in local DNS of the windows domain. Thatś why I want to assign local DNS to OpenVPN connection.
+ network printers are installed with the name, not with their IP. So, via connection by OpenVPN they don't work, cause name is not recognized

The second question - I'm looking for way just to simply delete keys. Not to revoke, but completely remove. There is a command 
openvpn-addclient client-name client-email
but I can't find any command like
openvpn-delclient client-name

thanks

Zdeněk

Jeremy Davis's picture

Thanks for the extra info. TBH I'm not too sure about setting it up like your doing (I've only ever used it site-to-site or via "outgoing" gateway. I imagine that it would be fairly common requirement/desire though, so hopefully the OpenVPN experts (over on their forums) have some ideas. FWIW a quick google turned up this page which looks promising?! I didn't read it properly but on face value it seems that it needs to be set on the server, not in the client config.

Re removing keys, there isn't a openvpn-delclient script (only an addclient script). So long as the certificate has been revoked, they can't be used for anything, so shouldn't be an issue... They're small plain text files, so would be taking up negligible space.

If you're dead-set on deleting them, you could try searching for files named after the name that you used and delete them, but be careful that you don't delete something that breaks things! I suggest that rather than delete them, just rename them for now and if nothing bad has happened within a week or 2, then go back and delete them? To find all the openvpn files named TEST1, try using the find command like this:

find /etc/openvpn -type f -name "TEST1.*"

Then rename then using the mv command, e.g.:

mv /path/to/file /path/to/renamed.file

I hope that helps head in you in the right direction. If not, please feel free to post back and I'll have another go...

No1's picture

@ Jeremy

Thanks -lcoal DNS now works perfect. Great job

the rest I'll try soon

 

Thank you very much

Zdeněk

Jeremy Davis's picture

Great! Glad that worked. Thanks for posting back to confirm. :)

Good luck with the other bit too. Although as I say, so long as the certificates have been revoked, the client files you created cannot be used so won't cause any issue.

No1's picture

@ Jeremy

itś not about security issue. It's just about to clean the mess. During testing I've created some accounts and these I would like to delete. That's all

 

Thanks

Jeremy Davis's picture

I've just opened an issue on our issue tracker regarding your request/suggestion. I'm not sure when it might be included but it's a good idea I reckon, so I've added it so it doesn't get forgotten.

Add new comment