Openvpn

From DWIKI
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

HOWTO

Using easyrsa

https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

Revoke certificate

https://openvpn.net/community-resources/revoking-certificates/

If you don't want to restart openvpn after revoking a cert add to server config: 

crl-verify crl.pem 

./easyrsa revoke someclient
./easyrsa gen-crl

Check crl (TODO this is incorrect) 

openssl crl -in -text pki/crl.pem

Check the serial numbers of the revoke certs 

grep ^R pki/index.txt

You might need to copy crl.pem to /etc/openvpn/ 

cp ~/easy-rsa/pki/crl.pem /etc/openvpn

Renew expiry dates using easyrsa

./easyrsa gen-crl

and most likely 

cp ~/easy-rsa/pki/crl.pem /etc/openvpn/

Push DNS to linux clients

http://blog.milford.io/2011/02/setting-up-an-openvpn-client-for-ubuntudebianmint-cli-edition/ 

echo "up /etc/openvpn/update-resolv-conf" >> ~/client/client.conf 
echo "down /etc/openvpn/update-resolv-conf" >> ~/client/client.conf


Openvpn and systemd

https://ubuntu.com/server/docs/service-openvpn


Update crl

openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.pem -config ./openssl.cnf

FAQ

NOTE: FlushIpNetTable failed on interface

This happens on windows, ignore it.


TLS Error: local/remote TLS keys are out of sync

First give it some time


WARNING: 'link-mtu' is used inconsistently

?

VERIFY ERROR: depth=0, error=CRL has expired

easyrsa gen-crl

and copy that to /etc/openvpn

Retrieved from "https://wiki.dhits.nl/index.php?title=Openvpn&oldid=8763"