1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TomatoVPN - How to block a valid OpenVPN certificate?

Discussion in 'Tomato Firmware' started by aven9er, Jul 2, 2011.

  1. aven9er

    aven9er Networkin' Nut Member

    Hello Guys!

    I've got a serious problem!

    I'm using TomatoVPN 1.27 VPN 3.6 on my Linksys WRT-54GL router. (Interface type: TAP, with DHCP)
    I've generated many OpenVPN certificates. Most of them are valid for one year.

    One of my employees has disappeared with a business notebook. I have to block his every attemp to connect.
    How to do this?

    If you have any ideas, share please. I will be very grateful!
    Thank you in advance.

  2. roadkill

    roadkill Super Moderator Staff Member Member

    you should revoke that specific key from the CA, openvpn site should be able to assist you with it.
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

  4. aven9er

    aven9er Networkin' Nut Member

    Thank you for that link. OK, I have revoked a certyfikate:
    I've got crl.pem file.

    How should I implement it in TomatoVPN firmare?
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You'll have to get that file available to the router somehow then add
    crl-verify /path/to/crl.pem
    to the VPN custom config.

    You have a few options to get the file available on the router:
    1. Enable JFFS on the router and scp it there
      • Looks like you're on Windows, so WinSCP is a common program to use for that
      • SCP works over SSH, so you'll have to have that enable
    2. Place it on a Windows share on some other computer and set up CIFS on the router to get access to it
      • This has the downside of relying on this other computer
    3. Create this file in your init script by echoing the contents into a file
      • Can't remember if crl.pem is ASCII or not, so that may not be a good option

    Option 1 would be best, in my opinion.
  6. aven9er

    aven9er Networkin' Nut Member

    Yes, it is an ASCII file.
    I've noticed that this file can be deleted after restart of the router, so I decided to use option 3: make an init script and echo the contents into a file.

    It works perfectly. Thank you very much.

Share This Page