Now that you have a fully functional OpenVPN connection, it sure does give you a valid sense of security doesn't it? There are still a few more things you should know in order to extend what the software can do.
In a perfect world everyone you hired, or are collaborating with, would be gracious and understanding when you no longer require their services. Unfortunately allowing them access to your network after their departure is a serious security liability and is generally ill-advised unless you want all manner of company secrets to leak out long after they're gone.
Then there are those cases where a machine may have fallen into the wrong hands. Thankfully the process for removing the access privileges to your network takes a few easy steps. You'll likely want to know which client you want to stop accessing your server first and foremost, which you have been dutifully cataloging since you've begun using the software.
Open up your trusty command prompt and change the directory until you're in your OpenVPN's working easy-rsa directory. From there the first two commands you'll want to run are:
The requisite text scroll should inform you that the software has created a file called crl.pem which contains keys that you have chosen to prevent access to your OpenVPN server. You'll want to copy this file to a location that OpenVPN can access and add the following to your server's configuration file:
If everything has gone smoothly you'll have yourself a freshly secured server which is no longer accessible to those you've added to the crl file. For those users that keep a constant connection to the server you'll want to restart the server in order to sever any current links.
There is a simple command to remember for future reference should you require the services of the key building functionality in OpenVPN, which you will, and it just happened to be mentioned earlier:
You won't be able to create any new keys for your clients without running it again and it's something that's easily forgotten, which will lead to quite a bit of lost time trying to track down errors in your installation before realizing that you need this simple command.