Openvpn: Difference between revisions

From DWIKI
← Older edit
Tony (talk | contribs)
7,289 edits
Tony (talk | contribs)
7,289 edits
Tag: wikieditor
Tony (talk | contribs)
7,289 edits
mNo edit summary
Tag: wikieditor
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Links=
**[https://community.openvpn.net/Pages/Getting%20started%20with%20OpenVPN OpenVPN - Getting started How-To]
*http://www.openvpn.net/
*http://www.openvpn.net/
*[http://openvpn.net/INSTALL-win32.html Openvpn on windows]
*[http://openvpn.net/INSTALL-win32.html Openvpn on windows]
Line 8: Line 10:
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
===Revoke certificate===
===Revoke certificate===
https://openvpn.net/community-resources/revoking-certificates/
If you don't want to restart openvpn after revoking a cert add to server config:
crl-verify crl.pem
  ./easyrsa revoke someclient
  ./easyrsa revoke someclient
  ./easyrsa gen-crl  
  ./easyrsa gen-crl  
Check crl
 
Check crl (TODO this is incorrect)
  openssl crl -in -text pki/crl.pem
  openssl crl -in -text pki/crl.pem
Check the serials numbers of the revoke certs
 
Check the serial numbers of the revoke certs
  grep ^R pki/index.txt
  grep ^R pki/index.txt
   
 
You might need to copy crl.pem to /etc/openvpn/
  cp ~/easy-rsa/pki/crl.pem /etc/openvpn
 
===Renew expiry dates using easyrsa===
./easyrsa gen-crl
and most likely
cp ~/easy-rsa/pki/crl.pem /etc/openvpn/


==Push DNS to linux clients==
==Push DNS to linux clients==
Line 24: Line 40:
==Openvpn and systemd==
==Openvpn and systemd==
https://ubuntu.com/server/docs/service-openvpn
https://ubuntu.com/server/docs/service-openvpn
==Update crl==
openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.pem -config ./openssl.cnf


=FAQ=
=FAQ=

Latest revision as of 15:01, 3 July 2025

Links

HOWTO

Using easyrsa

https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

Revoke certificate

https://openvpn.net/community-resources/revoking-certificates/

If you don't want to restart openvpn after revoking a cert add to server config: 

crl-verify crl.pem 

./easyrsa revoke someclient
./easyrsa gen-crl

Check crl (TODO this is incorrect) 

openssl crl -in -text pki/crl.pem

Check the serial numbers of the revoke certs 

grep ^R pki/index.txt

You might need to copy crl.pem to /etc/openvpn/ 

cp ~/easy-rsa/pki/crl.pem /etc/openvpn

Renew expiry dates using easyrsa

./easyrsa gen-crl

and most likely 

cp ~/easy-rsa/pki/crl.pem /etc/openvpn/

Push DNS to linux clients

http://blog.milford.io/2011/02/setting-up-an-openvpn-client-for-ubuntudebianmint-cli-edition/ 

echo "up /etc/openvpn/update-resolv-conf" >> ~/client/client.conf 
echo "down /etc/openvpn/update-resolv-conf" >> ~/client/client.conf


Openvpn and systemd

https://ubuntu.com/server/docs/service-openvpn


Update crl

openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.pem -config ./openssl.cnf

FAQ

NOTE: FlushIpNetTable failed on interface

This happens on windows, ignore it.


TLS Error: local/remote TLS keys are out of sync

First give it some time


?

VERIFY ERROR: depth=0, error=CRL has expired

easyrsa gen-crl

and copy that to /etc/openvpn

Retrieved from "https://wiki.dhits.nl/index.php?title=Openvpn&oldid=9803"