On Sat, 29 Mar 2025 15:37:38 +0000, tincantech via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote:
>-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA512 > >On Sat, 29 Mar 2025 10:41:38 +0100, Bo Berglund <bo.bergl...@gmail.com> wrote: > >> >But I am struggling to understand the concepts still. > >Some help: >https://github.com/OpenVPN/easy-rsa/blob/master/doc/Intro-To-PKI.md > > > >> >I tried the section I feel is most similar to my use: >> > >> >PKI procedure: Producing your complete PKI on the CA machine >> > >> >Now I have done this after creating the vars file from the example with >> >extended >> >lifetimes set: >> > >> >1) ./easyrsa init-pki (This creates and populates the pki dir) >> >2) ./easyrsa --nopass build-ca >> >3) ./easyrsa gen-tls-crypt-key >> >4) ./easyrsa --nopass build-server-full HakanNew >> >5) ./easyrsa build-client-full BosseWien (client for myself) >> >6) ./easyrsa build-client-full HakanWien (client for my brother-in-law) > >That all looks good. I hoped so... >> Follow-up >> --------- >> I tested it by editing my existing server.conf file and commenting out all of >> these lines referencing cert files etc: >> >> #Keys, Certificates, directories etc: >> ca /etc/openvpn/server/serverkeys/ca.crt >> cert /etc/openvpn/server/serverkeys/HAKANVPN.crt >> key /etc/openvpn/server/serverkeys/HAKANVPN.key >> dh /etc/openvpn/server/serverkeys/dh2048.pem >> tls-auth /etc/openvpn/server/serverkeys/ta.key 0 >> >> Instead I copied in the full content of the server's inline file at the end >> of >> the server.conf file. >> >> But that only resulted in a total non-starter when trying to start the >> service >> so I have probably missed something important... > >What error message is given ? I decided against using inlines, instead went the old way of creating a "keys" subdir below /etc/openvpn into where I copied the involved files and entered them with full paths into the server.conf file like before. And it did work fine. Now the new RPi4 based replacement VPN server has been transported to Vienna and after some trouble using my Windows OpenVPN-GUI application (which caches the OVPN file content so it has to be exited and started fresh in order to recognize changed file content) I was able to make it work and I can now connect using both an older RPi2 based server and this new RPi4 based device. I have used easyrsa 3.2.2 to build the files and I have extended the lifetime a bit too. Should work for a while. But I have one remaining issue, missing timestamps: --------------------------------------------------- The OpenVPN server's logfile and status logfile are *missing timestamps*, which makes them difficult to use for troubleshooting. How can I make each line in the logs start with a timestamp that can be used for sorting/searching, like so: 2025-03-31 10:22:19 Some log info (Notice that the most significant item is at the start and the least in the end contrary to the useless USA way of printing complete date-times...) I tried by adding this to the server.conf file: suppress-timestamps no which was suggested to me online... But that caused the server to not start at all! In the log: $ sudo cat server.log Options error: Unrecognized option or missing or extra parameter(s) in server.conf:42: suppress-timestamps (2.6.3) Use --help for more information. And no more logging since the server apparently choked on this. Took a while to find this out. And using the openvpn --help did not help much either. Now I have looked around in searches and found that apparently my server and serverlocal services are controlled by systemd using this common file for the services: /usr/lib/systemd/system/openvpn-server@.service And on my new system that file contains this: ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf Notice the --suppress-timestamps item, which I belive is what removes the timestamp output. Question: --------- Is it safe to edit that file and remove --suppress-timestamp (and I assume restart the openvpn instances)? Or can this cause havoc in my system? And how is the timestamp format defined? -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
