OpenVPN best practices in the Reference Architecture

[rhoboat]

Hi all,
I am using openvpn-admin CLI to generate OpenVPN certificates for all the other users and I am a bit confused. Can someone clarify my questions or point me to some documentation that could help.

I am using aws-auth with my own credentials to switch between Dev and Stage env and then use openvpn-admin request --username <IAM-USERNAME> to generate the OpenVPN profiles in that respective account for other users. I was wondering if that’s the right way of doing it.

I have the following questions in this regards:

• I see that even if I delete the user from IAM (of Security account), the VPN profile I created for that particular user using the above command is still active and they can access the AWS resources. Is there a better way of offboarding the user?
• A user who has access only to Dev env can also access resources in Stage env if I create a VPN profile for them from Stage env using above command. Is that how it’s supposed to work?
• Where do I see a list of all the active profiles I created so that I can revoke unused profiles?

[antmordel]

Thank you for your question, I'll answer them inline!

I see that even if I delete the user from IAM (of Security account), the VPN profile I created for that particular user using the above command is still active and they can access the AWS resources. Is there a better way of offboarding the user?

Once you have removed the IAM user, an OpenVPN Admin should run the revoke command that will add this user to the CRL (certificate revoke list).

A user who has access only to Dev env can also access resources in Stage env if I create a VPN profile for them from Stage env using above command. Is that how it’s supposed to work?

This depends on how you have set up the architecture. If there is a OpenVPN server on each environment, then the certificates are different, and therefore, access are individual per environment.

Where do I see a list of all the active profiles I created so that I can revoke unused profiles?

When we do revoke, we are not removing the certificate for the user at hand, instead, we add the user to the CRL. However, we don't have a compiled list of users which are active and not in the CRL. Users in the CRL are meant to not be active.

I hope this clarifies a bit more the questions about the OpenVPN role in the Reference Architecture!