OpenVPN best practices in the Reference Architecture
Hi all, I am using `openvpn-admin` CLI to generate OpenVPN certificates for all the other users and I am a bit confused. Can someone clarify my questions or point me to some documentation that could help. I am using `aws-auth` with my own credentials to switch between Dev and Stage env and then use `openvpn-admin request --username <IAM-USERNAME>` to generate the OpenVPN profiles in that respective account for other users. I was wondering if that’s the right way of doing it. I have the following questions in this regards: - I see that even if I delete the user from IAM (of Security account), the VPN profile I created for that particular user using the above command is still active and they can access the AWS resources. Is there a better way of offboarding the user? - A user who has access only to Dev env can also access resources in Stage env if I create a VPN profile for them from Stage env using above command. Is that how it’s supposed to work? - Where do I see a list of all the active profiles I created so that I can revoke unused profiles?
Thank you for your question, I'll answer them inline! > I see that even if I delete the user from IAM (of Security account), the VPN profile I created for that particular user using the above command is still active and they can access the AWS resources. Is there a better way of offboarding the user? Once you have removed the IAM user, an OpenVPN Admin should run the [`revoke`](https://github.com/gruntwork-io/terraform-aws-openvpn/tree/master/modules/openvpn-admin#commandline-options) command that will add this user to the CRL (certificate revoke list). > A user who has access only to Dev env can also access resources in Stage env if I create a VPN profile for them from Stage env using above command. Is that how it’s supposed to work? This depends on how you have set up the architecture. If there is a OpenVPN server on each environment, then the certificates are different, and therefore, access are individual per environment. > Where do I see a list of all the active profiles I created so that I can revoke unused profiles? When we do `revoke`, we are not removing the certificate for the user at hand, instead, we add the user to the CRL. However, we don't have a compiled list of users which are active and **not** in the CRL. Users in the CRL are meant to not be active. I hope this clarifies a bit more the questions about the OpenVPN role in the Reference Architecture!