Openvpn: Difference between revisions
From DWIKI
m (→FAQ) |
m (→HOWTO) |
||
| (7 intermediate revisions by the same user not shown) | |||
| Line 8: | Line 8: | ||
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto | https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto | ||
===Revoke certificate=== | ===Revoke certificate=== | ||
https://openvpn.net/community-resources/revoking-certificates/ | |||
If you don't want to restart openvpn after revoking a cert add to server config: | |||
crl-verify crl.pem | |||
./easyrsa revoke someclient | ./easyrsa revoke someclient | ||
./easyrsa gen-crl | ./easyrsa gen-crl | ||
Check crl | |||
Check crl (TODO this is incorrect) | |||
openssl crl -in -text pki/crl.pem | openssl crl -in -text pki/crl.pem | ||
Check the | |||
Check the serial numbers of the revoke certs | |||
grep ^R pki/index.txt | grep ^R pki/index.txt | ||
You might need to copy crl.pem to /etc/openvpn/ | |||
cp ~/easy-rsa/pki/crl.pem /etc/openvpn | |||
===Renew expiry dates using easyrsa=== | |||
./easyrsa gen-crl | |||
and most likely | |||
cp ~/easy-rsa/pki/crl.pem /etc/openvpn/ | |||
==Push DNS to linux clients== | ==Push DNS to linux clients== | ||
| Line 21: | Line 35: | ||
echo "down /etc/openvpn/update-resolv-conf" >> ~/client/client.conf | echo "down /etc/openvpn/update-resolv-conf" >> ~/client/client.conf | ||
==Openvpn and systemd== | |||
https://ubuntu.com/server/docs/service-openvpn | |||
==Update crl== | |||
openssl ca -gencrl -keyfile keys/ca.key -cert keys/ca.crt -out keys/crl.pem -config ./openssl.cnf | |||
=FAQ= | =FAQ= | ||
| Line 33: | Line 54: | ||
==WARNING: 'link-mtu' is used inconsistently== | ==WARNING: 'link-mtu' is used inconsistently== | ||
? | ? | ||
==VERIFY ERROR: depth=0, error=CRL has expired== | |||
easyrsa gen-crl | |||
and copy that to /etc/openvpn | |||
Latest revision as of 10:51, 26 February 2024
HOWTO
Using easyrsa
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
Revoke certificate
https://openvpn.net/community-resources/revoking-certificates/
If you don't want to restart openvpn after revoking a cert add to server config:
crl-verify crl.pem
./easyrsa revoke someclient ./easyrsa gen-crl
Check crl (TODO this is incorrect)
openssl crl -in -text pki/crl.pem
Check the serial numbers of the revoke certs
grep ^R pki/index.txt
You might need to copy crl.pem to /etc/openvpn/
cp ~/easy-rsa/pki/crl.pem /etc/openvpn
Renew expiry dates using easyrsa
./easyrsa gen-crl
and most likely
cp ~/easy-rsa/pki/crl.pem /etc/openvpn/
Push DNS to linux clients
http://blog.milford.io/2011/02/setting-up-an-openvpn-client-for-ubuntudebianmint-cli-edition/
echo "up /etc/openvpn/update-resolv-conf" >> ~/client/client.conf echo "down /etc/openvpn/update-resolv-conf" >> ~/client/client.conf
Openvpn and systemd
https://ubuntu.com/server/docs/service-openvpn
Update crl
openssl ca -gencrl -keyfile keys/ca.key -cert keys/ca.crt -out keys/crl.pem -config ./openssl.cnf
FAQ
NOTE: FlushIpNetTable failed on interface
This happens on windows, ignore it.
TLS Error: local/remote TLS keys are out of sync
First give it some time
WARNING: 'link-mtu' is used inconsistently
?
VERIFY ERROR: depth=0, error=CRL has expired
easyrsa gen-crl
and copy that to /etc/openvpn
