Using easyrsa

Revoke certificate

If you don't want to restart openvpn after revoking a cert add to server config:

crl-verify crl.pem 
./easyrsa revoke someclient
./easyrsa gen-crl 

Check crl (TODO this is incorrect)

openssl crl -in -text pki/crl.pem

Check the serial numbers of the revoke certs

grep ^R pki/index.txt

You might need to copy crl.pem to /etc/openvpn/

cp ~/easy-rsa/pki/crl.pem /etc/openvpn

Renew expiry dates using easyrsa

./easyrsa gen-crl

and most likely

cp ~/easy-rsa/pki/crl.pem /etc/openvpn/

Push DNS to linux clients

echo "up /etc/openvpn/update-resolv-conf" >> ~/client/client.conf 
echo "down /etc/openvpn/update-resolv-conf" >> ~/client/client.conf

Openvpn and systemd

Update crl

openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.pem -config ./openssl.cnf


NOTE: FlushIpNetTable failed on interface

This happens on windows, ignore it.

TLS Error: local/remote TLS keys are out of sync

First give it some time

WARNING: 'link-mtu' is used inconsistently


VERIFY ERROR: depth=0, error=CRL has expired

easyrsa gen-crl

and copy that to /etc/openvpn