On Sat, 29 Mar 2025 00:30:13 +0100, Bo Berglund <bo.bergl...@gmail.com> wrote:
>On Fri, 28 Mar 2025 18:09:16 -0400, "Dan Langille" <d...@langille.org> wrote: > >> On my phone: I suspect youre using a newer openvpn version. >> It is complaining about your CA. I think it wants a CA created with a newer >> algorithm. >> Wait for confirmation by others. > >Is this because openvpn itself is newer than the one on RPi2? >rpi4 version: OpenVPN 2.6.3 >rpi2 version: OpenVPN 2.4.7 > >I tried to use the old cert/key etc files on the new server... >(To make it accept connections using the old ovpn files.) > >If I create a new CA then will not the complete infrastructure need to be >rebuilt including the ovpn connection files? > >I was hoping that the same files could be used for either server just by >changing the connection port on the server. > >But in this case it seems like the server does not even start properly so the >connection too does not proceed. And maybe it is the phone that barfs at the >cert in the openvpn file and does not proceed towards the server? So the error >is not from the server? > >What would be the proper way to deal with this, in the end I figured there >could >be two connection points served by the two RPi devices and using the same ovepn >files except for the connection port. > >It was such a long time since I started from scratch now, I even created a >script back then to help in creating new client files but that does only work >on >the old kind of files. I decided to build a new server from scratch using easyrsa 3.2.2. And I can't get it using apt because the most recent version there is 3.1.0-1, which is way too old... So I downloaded easyrsa 3.2.2 from github to my $HOME/openvpn dir, but I got stuck following these actions: - Copy the vars.example file to vars - Edit the vars file to extend the life of the certs: set_var EASYRSA_CA_EXPIRE 5475 #15 years set_var EASYRSA_CERT_EXPIRE 5110 #14 years - Then started the process: - $ ./easyrsa init-pki - $ ./easyrsa --nopass build-ca (is this correct? no password?) - $ ./easyrsa gen-tls-crypt-key - next step is what? >From now on I am getting confused as to the password usage, I want to in the >end generate user logins in an ovpn file where the user needs to enter a password on connect. This password can be cached by the openvpn client used as is the case on a Windows or Linux PC, but it needs to be there to safeguard against use by an unknown person. It seems like there is a --nopass argument to *all* the commands and I don't know when it is appropriate to use that. Is there a webpage anywhere "easyrsa 3.2.2 for dummies" where one can get a complete sequence of commands to wind up with a usable OpenVPN server and user ovpn files with password protection (for the ovpn files)? I have looked around but what I found seems to be for older easy-rsa versions... I have read the "official" page: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto But it uses terminology that I don't understand about "systems", I just want to create an OpenVPN server that allows 1-2 users to connect from outside to the home server and from there access the local LAN as well as the Internet but as if actually being at home. I.e. in this case to be able to use the Internet as if located in Vienna. There is no "organization" or such involved here... And what is meant by "system" in the descriptions? Sounds like they use several computers... -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
