Openvpn

From DWIKI

HOWTO

Using easyrsa

https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

Revoke certificate

https://openvpn.net/community-resources/revoking-certificates/

If you don't want to restart openvpn after revoking a cert add to server config:

crl-verify crl.pem 
./easyrsa revoke someclient
./easyrsa gen-crl 

Check crl (TODO this is incorrect)

openssl crl -in -text pki/crl.pem

Check the serial numbers of the revoke certs

grep ^R pki/index.txt

You might need to copy crl.pem to /etc/openvpn/

cp ~/easy-rsa/pki/crl.pem /etc/openvpn

Renew expiry dates using easyrsa

./easyrsa gen-crl

and most likely

cp ~/easy-rsa/pki/crl.pem /etc/openvpn/

Push DNS to linux clients

http://blog.milford.io/2011/02/setting-up-an-openvpn-client-for-ubuntudebianmint-cli-edition/

echo "up /etc/openvpn/update-resolv-conf" >> ~/client/client.conf 
echo "down /etc/openvpn/update-resolv-conf" >> ~/client/client.conf


Openvpn and systemd

https://ubuntu.com/server/docs/service-openvpn


Update crl

openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.pem -config ./openssl.cnf

FAQ

NOTE: FlushIpNetTable failed on interface

This happens on windows, ignore it.


TLS Error: local/remote TLS keys are out of sync

First give it some time


WARNING: 'link-mtu' is used inconsistently

?

VERIFY ERROR: depth=0, error=CRL has expired

easyrsa gen-crl

and copy that to /etc/openvpn