On Sat, 29 Mar 2025 00:30:13 +0100, Bo Berglund <bo.bergl...@gmail.com> wrote:

>On Fri, 28 Mar 2025 18:09:16 -0400, "Dan Langille" <d...@langille.org> wrote:
>
>> On my phone: I suspect you’re using a newer openvpn version. 
>> It is complaining about your CA. I think it wants a CA created with a newer 
>> algorithm. 
>> Wait for confirmation by others. 
>
>Is this because openvpn itself is newer than the one on RPi2?
>rpi4 version: OpenVPN 2.6.3
>rpi2 version: OpenVPN 2.4.7
>
>I tried to use the old cert/key etc files on the new server...
>(To make it accept connections using the old ovpn files.)
>
>If I create a new CA then will not the complete infrastructure need to be
>rebuilt including the ovpn connection files?
>
>I was hoping that the same files could be used for either server just by
>changing the connection port on the server.
>
>But in this case it seems like the server does not even start properly so the
>connection too does not proceed. And maybe it is the phone that barfs at the
>cert in the openvpn file and does not proceed towards the server? So the error
>is not from the server?
>
>What would be the proper way to deal with this, in the end I figured there 
>could
>be two connection points served by the two RPi devices and using the same ovepn
>files except for the connection port.
>
>It was such a long time since I started from scratch now, I even created a
>script back then to help in creating new client files but that does only work 
>on
>the old kind of files.

I decided to build a new server from scratch using easyrsa 3.2.2.
And I can't get it using apt because the most recent version there is 3.1.0-1,
which is way too old...

So I downloaded easyrsa 3.2.2 from github to my $HOME/openvpn dir, but I got
stuck following these actions:

- Copy the vars.example file to vars

- Edit the vars file to extend the life of the certs:
set_var EASYRSA_CA_EXPIRE       5475  #15 years
set_var EASYRSA_CERT_EXPIRE     5110  #14 years

- Then started the process:
- $ ./easyrsa init-pki
- $ ./easyrsa --nopass build-ca  (is this correct? no password?)
- $ ./easyrsa gen-tls-crypt-key
- next step is what?

>From now on I am getting confused as to the password usage, I want to in the 
>end
generate user logins in an ovpn file where the user needs to enter a password on
connect. This password can be cached by the openvpn client used as is the case
on a Windows or Linux PC, but it needs to be there to safeguard against use by
an unknown person.
It seems like there is a --nopass argument to *all* the commands and I don't
know when it is appropriate to use that.

Is there a webpage anywhere "easyrsa 3.2.2 for dummies" where one can get a
complete sequence of commands to wind up with a usable OpenVPN server and user
ovpn files with password protection (for the ovpn files)?

I have looked around but what I found seems to be for older easy-rsa versions...


I have read the "official" page:
 https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

But it uses terminology that I don't understand about "systems", I just want to
create an OpenVPN server that allows 1-2 users to connect from outside to the
home server and from there access the local LAN as well as the Internet but as
if actually being at home. I.e. in this case to be able to use the Internet as
if located in Vienna.

There is no "organization" or such involved here...
And what is meant by "system" in the descriptions? Sounds like they use several
computers...


-- 
Bo Berglund
Developer in Sweden



_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to