Openvpn: Difference between revisions
From DWIKI
mNo edit summary |
m (→HOWTO) |
||
| (9 intermediate revisions by the same user not shown) | |||
| Line 4: | Line 4: | ||
*[https://www.thegeekpub.com/271035/openvpn-mtu-finding-the-correct-settings/ Fixing MTU settings for Openvpn] | *[https://www.thegeekpub.com/271035/openvpn-mtu-finding-the-correct-settings/ Fixing MTU settings for Openvpn] | ||
= | =HOWTO= | ||
== | ==Using easyrsa== | ||
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto | |||
===Revoke certificate=== | |||
https://openvpn.net/community-resources/revoking-certificates/ | |||
If you don't want to restart openvpn after revoking a cert add to server config: | |||
crl-verify crl.pem | |||
./easyrsa revoke someclient | |||
./easyrsa gen-crl | |||
Check crl (TODO this is incorrect) | |||
openssl crl -in -text pki/crl.pem | |||
Check the serial numbers of the revoke certs | |||
grep ^R pki/index.txt | |||
You might need to copy crl.pem to /etc/openvpn/ | |||
cp ~/easy-rsa/pki/crl.pem /etc/openvpn | |||
===Renew expiry dates using easyrsa=== | |||
./easyrsa gen-crl | |||
and most likely | |||
cp ~/easy-rsa/pki/crl.pem /etc/openvpn/ | |||
==Push DNS to linux clients== | ==Push DNS to linux clients== | ||
| Line 13: | Line 34: | ||
echo "up /etc/openvpn/update-resolv-conf" >> ~/client/client.conf | echo "up /etc/openvpn/update-resolv-conf" >> ~/client/client.conf | ||
echo "down /etc/openvpn/update-resolv-conf" >> ~/client/client.conf | echo "down /etc/openvpn/update-resolv-conf" >> ~/client/client.conf | ||
==Openvpn and systemd== | |||
https://ubuntu.com/server/docs/service-openvpn | |||
==Update crl== | |||
openssl ca -gencrl -keyfile keys/ca.key -cert keys/ca.crt -out keys/crl.pem -config ./openssl.cnf | |||
=FAQ= | |||
==NOTE: FlushIpNetTable failed on interface== | |||
This happens on windows, ignore it. | |||
==TLS Error: local/remote TLS keys are out of sync== | |||
First give it some time | |||
==WARNING: 'link-mtu' is used inconsistently== | |||
? | |||
==VERIFY ERROR: depth=0, error=CRL has expired== | |||
easyrsa gen-crl | |||
and copy that to /etc/openvpn | |||
Latest revision as of 10:51, 26 February 2024
HOWTO
Using easyrsa
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
Revoke certificate
https://openvpn.net/community-resources/revoking-certificates/
If you don't want to restart openvpn after revoking a cert add to server config:
crl-verify crl.pem
./easyrsa revoke someclient ./easyrsa gen-crl
Check crl (TODO this is incorrect)
openssl crl -in -text pki/crl.pem
Check the serial numbers of the revoke certs
grep ^R pki/index.txt
You might need to copy crl.pem to /etc/openvpn/
cp ~/easy-rsa/pki/crl.pem /etc/openvpn
Renew expiry dates using easyrsa
./easyrsa gen-crl
and most likely
cp ~/easy-rsa/pki/crl.pem /etc/openvpn/
Push DNS to linux clients
http://blog.milford.io/2011/02/setting-up-an-openvpn-client-for-ubuntudebianmint-cli-edition/
echo "up /etc/openvpn/update-resolv-conf" >> ~/client/client.conf echo "down /etc/openvpn/update-resolv-conf" >> ~/client/client.conf
Openvpn and systemd
https://ubuntu.com/server/docs/service-openvpn
Update crl
openssl ca -gencrl -keyfile keys/ca.key -cert keys/ca.crt -out keys/crl.pem -config ./openssl.cnf
FAQ
NOTE: FlushIpNetTable failed on interface
This happens on windows, ignore it.
TLS Error: local/remote TLS keys are out of sync
First give it some time
WARNING: 'link-mtu' is used inconsistently
?
VERIFY ERROR: depth=0, error=CRL has expired
easyrsa gen-crl
and copy that to /etc/openvpn
