# OpenVPN & Chroot Jail

## eponymous

Hi, I have OpenVPN installed an set up.

I created a set of certificates for my client, copied the files across and was able to make a successful connection.

I then decided to make a set of new certificates as I fear the first set may have been compromised. After revoking the scripts by following the HOWTO (http://openvpn.net/howto.html#revoke) I created a crl.pem file and put it in my jail directory (/etc/openvpn/jail) as I am using the "chroot jail" directive at the bottom of my openvpn.conf.

I then went about creating a new set of certificates only to find that I can only connect successfully if I allow full access to my jail directory (i.e. chmod 777). This did not happen before. 

If I set the permissions of the jail directory to 700 for example, openvpn.log shows it cannot access the crl.pem file (permission denied). 

crl.pem has full access by anybody (777) and is owned by root and in group root.

jail is owned by root, and is in group root.

My openvpn.conf file looks like this at the bottom:

```

verb 4

;mute 20

chroot jail

crl-verify crl.pem

```

I also drop root privileges in the config file further up (i.e. user nobody, group nobody).

The only way to make a successful connection is to either remove the "crl-verify" directive or relax the permissions on the jail directory (to 777).

Is there any way to get this to work?

Also, is it necessary for me to actually need to crl.pem file as I have deleted the old certificates from the server, so I'm guessing if someone had the old client certificates, they would not be able[/code] to connect?

I'd appreciate any help,

Thanks in advance.

----------

## gerdesj

If you are using ezrsa and don't mind starting again then do that with a completely new CA, which will automatically bin the old certificates.

Also, check out the client-config-dir directive.  Basically you create a dir and touch files in there with the name of the Subject name of your client certs.  You can also put configs in these files for more flexibility.  If the file is not there the client can't connect, easy way to stop access. 

Cheers

Jon

----------

