Menu
▾
▴
Re: [Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting
|
From: Stefanie L. <ste...@pe...> - 2025-03-29 12:40:25
|
On 3/29/25 08:07, Bo Berglund wrote: > On Sat, 29 Mar 2025 00:30:13 +0100, Bo Berglund <bo....@gm...> wrote: > >> On Fri, 28 Mar 2025 18:09:16 -0400, "Dan Langille" <da...@la...> wrote: >> >>> On my phone: I suspect you’re using a newer openvpn version. >>> It is complaining about your CA. I think it wants a CA created with a newer algorithm. >>> Wait for confirmation by others. >> >> Is this because openvpn itself is newer than the one on RPi2? >> rpi4 version: OpenVPN 2.6.3 >> rpi2 version: OpenVPN 2.4.7 >> >> I tried to use the old cert/key etc files on the new server... >> (To make it accept connections using the old ovpn files.) >> >> If I create a new CA then will not the complete infrastructure need to be >> rebuilt including the ovpn connection files? >> >> I was hoping that the same files could be used for either server just by >> changing the connection port on the server. >> >> But in this case it seems like the server does not even start properly so the >> connection too does not proceed. And maybe it is the phone that barfs at the >> cert in the openvpn file and does not proceed towards the server? So the error >> is not from the server? >> >> What would be the proper way to deal with this, in the end I figured there could >> be two connection points served by the two RPi devices and using the same ovepn >> files except for the connection port. >> >> It was such a long time since I started from scratch now, I even created a >> script back then to help in creating new client files but that does only work on >> the old kind of files. > > I decided to build a new server from scratch using easyrsa 3.2.2. > And I can't get it using apt because the most recent version there is 3.1.0-1, > which is way too old... > > So I downloaded easyrsa 3.2.2 from github to my $HOME/openvpn dir, but I got > stuck following these actions: > > - Copy the vars.example file to vars > > - Edit the vars file to extend the life of the certs: > set_var EASYRSA_CA_EXPIRE 5475 #15 years > set_var EASYRSA_CERT_EXPIRE 5110 #14 years > > - Then started the process: > - $ ./easyrsa init-pki > - $ ./easyrsa --nopass build-ca (is this correct? no password?) > - $ ./easyrsa gen-tls-crypt-key > - next step is what? > >>From now on I am getting confused as to the password usage, I want to in the end > generate user logins in an ovpn file where the user needs to enter a password on > connect. This password can be cached by the openvpn client used as is the case > on a Windows or Linux PC, but it needs to be there to safeguard against use by > an unknown person. > It seems like there is a --nopass argument to *all* the commands and I don't > know when it is appropriate to use that. > > Is there a webpage anywhere "easyrsa 3.2.2 for dummies" where one can get a > complete sequence of commands to wind up with a usable OpenVPN server and user > ovpn files with password protection (for the ovpn files)? > > I have looked around but what I found seems to be for older easy-rsa versions... > > > I have read the "official" page: > https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto > > But it uses terminology that I don't understand about "systems", I just want to > create an OpenVPN server that allows 1-2 users to connect from outside to the > home server and from there access the local LAN as well as the Internet but as > if actually being at home. I.e. in this case to be able to use the Internet as > if located in Vienna. > > There is no "organization" or such involved here... > And what is meant by "system" in the descriptions? Sounds like they use several > computers... > > Hi Bo. I would like to recommend another setup for your installation, without all the implications coming with an own pki... This is save and can be handled very simple: https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst Maybe you give it a try. |
