Openvpn: Difference between revisions

From DWIKI
 
(6 intermediate revisions by the same user not shown)
Line 8: Line 8:
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
===Revoke certificate===
===Revoke certificate===
https://openvpn.net/community-resources/revoking-certificates/
If you don't want to restart openvpn after revoking a cert add to server config:
crl-verify crl.pem
  ./easyrsa revoke someclient
  ./easyrsa revoke someclient
  ./easyrsa gen-crl  
  ./easyrsa gen-crl  
Check crl
 
Check crl (TODO this is incorrect)
  openssl crl -in -text pki/crl.pem
  openssl crl -in -text pki/crl.pem
Check the serials numbers of the revoke certs
 
Check the serial numbers of the revoke certs
  grep ^R pki/index.txt
  grep ^R pki/index.txt
   
 
You might need to copy crl.pem to /etc/openvpn/
  cp ~/easy-rsa/pki/crl.pem /etc/openvpn
 
===Renew expiry dates using easyrsa===
./easyrsa gen-crl
and most likely
cp ~/easy-rsa/pki/crl.pem /etc/openvpn/


==Push DNS to linux clients==
==Push DNS to linux clients==
Line 24: Line 38:
==Openvpn and systemd==
==Openvpn and systemd==
https://ubuntu.com/server/docs/service-openvpn
https://ubuntu.com/server/docs/service-openvpn
==Update crl==
openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.pem -config ./openssl.cnf


=FAQ=
=FAQ=
Line 36: Line 54:
==WARNING: 'link-mtu' is used inconsistently==
==WARNING: 'link-mtu' is used inconsistently==
?
?
==VERIFY ERROR: depth=0, error=CRL has expired==
easyrsa gen-crl
and copy that to /etc/openvpn

Latest revision as of 10:51, 26 February 2024

HOWTO

Using easyrsa

https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

Revoke certificate

https://openvpn.net/community-resources/revoking-certificates/

If you don't want to restart openvpn after revoking a cert add to server config:

crl-verify crl.pem 
./easyrsa revoke someclient
./easyrsa gen-crl 

Check crl (TODO this is incorrect)

openssl crl -in -text pki/crl.pem

Check the serial numbers of the revoke certs

grep ^R pki/index.txt

You might need to copy crl.pem to /etc/openvpn/

cp ~/easy-rsa/pki/crl.pem /etc/openvpn

Renew expiry dates using easyrsa

./easyrsa gen-crl

and most likely

cp ~/easy-rsa/pki/crl.pem /etc/openvpn/

Push DNS to linux clients

http://blog.milford.io/2011/02/setting-up-an-openvpn-client-for-ubuntudebianmint-cli-edition/

echo "up /etc/openvpn/update-resolv-conf" >> ~/client/client.conf 
echo "down /etc/openvpn/update-resolv-conf" >> ~/client/client.conf


Openvpn and systemd

https://ubuntu.com/server/docs/service-openvpn


Update crl

openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.pem -config ./openssl.cnf

FAQ

NOTE: FlushIpNetTable failed on interface

This happens on windows, ignore it.


TLS Error: local/remote TLS keys are out of sync

First give it some time


WARNING: 'link-mtu' is used inconsistently

?

VERIFY ERROR: depth=0, error=CRL has expired

easyrsa gen-crl

and copy that to /etc/openvpn