user revoke management
electrical opened this issue · 2 comments
It would be great to add user revocation and CRL management to it.
Otherwise people will still be able to connect to the VPN.
The ovpn_revokeclient CLI tool is already in place.
I guess we just have to add a revoke-user script and CRL secret.
I think the only downside is you'll need to restart the openvpn server instance to reprocess the CRL list.
We also need to add the --crl-verify option to the server config.
Perhaps it would make sense to enable this by default?
Even if the file is empty it will still allow connections
I think the script could also remove the pod and thus reprocess the CRL list. Or maybe there's an option to send it a signal to do the same thing?
Would you like to take a stab at creating a PR with such script?
I think a rollout restart might be a bit cleaner.
Since I want to implement this for myself I'll try to make it in such a way I can contribute back.