Openvpn: Difference between revisions
From DWIKI
m (→HOWTO) |
|||
(11 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
*[http://openvpn.net/INSTALL-win32.html Openvpn on windows] | *[http://openvpn.net/INSTALL-win32.html Openvpn on windows] | ||
*[http://forums.gentoo.org/viewtopic.php?t=233080 Openvpn howto] | *[http://forums.gentoo.org/viewtopic.php?t=233080 Openvpn howto] | ||
*[https://www.thegeekpub.com/271035/openvpn-mtu-finding-the-correct-settings/ Fixing MTU settings for Openvpn] | |||
=HOWTO= | |||
==Using easyrsa== | |||
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto | |||
===Revoke certificate=== | |||
https://openvpn.net/community-resources/revoking-certificates/ | |||
If you don't want to restart openvpn after revoking a cert add to server config: | |||
crl-verify crl.pem | |||
./easyrsa revoke someclient | |||
./easyrsa gen-crl | |||
Check crl (TODO this is incorrect) | |||
openssl crl -in -text pki/crl.pem | |||
Check the serial numbers of the revoke certs | |||
grep ^R pki/index.txt | |||
You might need to copy crl.pem to /etc/openvpn/ | |||
cp ~/easy-rsa/pki/crl.pem /etc/openvpn | |||
===Renew expiry dates using easyrsa=== | |||
./easyrsa gen-crl | |||
and most likely | |||
cp ~/easy-rsa/pki/crl.pem /etc/openvpn/ | |||
==Push DNS to linux clients== | |||
http://blog.milford.io/2011/02/setting-up-an-openvpn-client-for-ubuntudebianmint-cli-edition/ | |||
echo "up /etc/openvpn/update-resolv-conf" >> ~/client/client.conf | |||
echo "down /etc/openvpn/update-resolv-conf" >> ~/client/client.conf | |||
==Openvpn and systemd== | |||
https://ubuntu.com/server/docs/service-openvpn | |||
==Update crl== | |||
openssl ca -gencrl -keyfile keys/ca.key -cert keys/ca.crt -out keys/crl.pem -config ./openssl.cnf | |||
=FAQ= | =FAQ= | ||
Line 8: | Line 48: | ||
== | ==TLS Error: local/remote TLS keys are out of sync== | ||
First give it some time | |||
==WARNING: 'link-mtu' is used inconsistently== | |||
? | |||
==VERIFY ERROR: depth=0, error=CRL has expired== | |||
easyrsa gen-crl | |||
and copy that to /etc/openvpn |
Latest revision as of 10:51, 26 February 2024
HOWTO
Using easyrsa
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
Revoke certificate
https://openvpn.net/community-resources/revoking-certificates/
If you don't want to restart openvpn after revoking a cert add to server config:
crl-verify crl.pem
./easyrsa revoke someclient ./easyrsa gen-crl
Check crl (TODO this is incorrect)
openssl crl -in -text pki/crl.pem
Check the serial numbers of the revoke certs
grep ^R pki/index.txt
You might need to copy crl.pem to /etc/openvpn/
cp ~/easy-rsa/pki/crl.pem /etc/openvpn
Renew expiry dates using easyrsa
./easyrsa gen-crl
and most likely
cp ~/easy-rsa/pki/crl.pem /etc/openvpn/
Push DNS to linux clients
http://blog.milford.io/2011/02/setting-up-an-openvpn-client-for-ubuntudebianmint-cli-edition/
echo "up /etc/openvpn/update-resolv-conf" >> ~/client/client.conf echo "down /etc/openvpn/update-resolv-conf" >> ~/client/client.conf
Openvpn and systemd
https://ubuntu.com/server/docs/service-openvpn
Update crl
openssl ca -gencrl -keyfile keys/ca.key -cert keys/ca.crt -out keys/crl.pem -config ./openssl.cnf
FAQ
NOTE: FlushIpNetTable failed on interface
This happens on windows, ignore it.
TLS Error: local/remote TLS keys are out of sync
First give it some time
WARNING: 'link-mtu' is used inconsistently
?
VERIFY ERROR: depth=0, error=CRL has expired
easyrsa gen-crl
and copy that to /etc/openvpn