openvpn-users — OpenVPN users list

Re: [Openvpn-users] Permission Error with systemd

[Gert D. <ge...@gr...>]

Hi,

On Thu, May 15, 2025 at 12:04:46PM +0200, Stefanie Leisestreichler (Febas) wrote:
> What I do not understand is: As far as I know, openvpn is started with root
> rights to build the context for a running instance. If that is true, why
> can't the key been read during that phase and has to be made available for
> user openvpn (at least with arch)? Or is my assumption/understanding wrong?

If you run openvpn 2.x as "openvpn --user nobody", it will start as root, 
gather what it needs, and then suids to "nobody".

This seems to be about 3.x, which works differently :-) - and SystemD,
which does everything differently again, so in this case the unit files
will do the user change, and openvpn is started with non-root permissions
-> no access to anything root-owned.

Arguably the second one is the more secure way to do things, as there is
no "still running as root" phase - but it brings much more complications
of course ("how can it then manipulate ifconfig/route/dns?").

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             ge...@gr...

Re: [Openvpn-users] Permission Error with systemd

[David S. <daz...@eu...>]

On 12/05/2025 11:52, Stefanie Leisestreichler (Febas) wrote:
> Hi.
> I have a fresh install of openvpn 3.5.0.8 on arch and try to get
> autostart for systemd working.
> 
> The log is displaying this error:
> Options error: --key fails with 'gateway25.key': Permission denied
> (errno=13)
> Options error: --status fails with '/run/openvpn-server/status-
> gateway25.log': Permission denied (errno=13)
> 
> I do not know special details about when openvpn drops privilegs but I
> get a shiver when there is a need to change perms or ownership for key
> files.
> 
> What do you think/recommend?

Notice this line in the systemd unit file:

     User=openvpn

This indicates that the OpenVPN process is started as the openvpn user.
Your permissions is that only root has read access to the key file.

Try to change the owner of the key file from root to openvpn.

The openvpn-server@.service and openvpn-client@.service units has been
written to lock down and strip the openvpn process from as many
privileges as possible.  Unfortunately, the list of needed privileges is
still fairly long.


-- 
kind regards,

David Sommerseth
OpenVPN Inc

Re: [Openvpn-users] Permission Error with systemd

[Stefanie L. (Febas) <ste...@pe...>]

On 5/15/25 11:49, David Sommerseth wrote:

> 
> Try to change the owner of the key file from root to openvpn.
> 
> The openvpn-server@.service and openvpn-client@.service units has been
> written to lock down and strip the openvpn process from as many
> privileges as possible.  Unfortunately, the list of needed privileges is
> still fairly long.
> 
> 
chown will make it running.

What I do not understand is: As far as I know, openvpn is started with 
root rights to build the context for a running instance. If that is 
true, why can't the key been read during that phase and has to be made 
available for user openvpn (at least with arch)? Or is my 
assumption/understanding wrong?

[Openvpn-users] Permission Error with systemd

[Stefanie L. (Febas) <ste...@pe...>]

Hi.
I have a fresh install of openvpn 3.5.0.8 on arch and try to get 
autostart for systemd working.

The log is displaying this error:
Options error: --key fails with 'gateway25.key': Permission denied 
(errno=13)
Options error: --status fails with 
'/run/openvpn-server/status-gateway25.log': Permission denied (errno=13)

I do not know special details about when openvpn drops privilegs but I 
get a shiver when there is a need to change perms or ownership for key 
files.

What do you think/recommend?

Thanks.

The unit file looks like this:

[Unit]
Description=OpenVPN service for %I
After=network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
ExecStart=/usr/bin/openvpn --status %t/openvpn-server/status-%i.log 
--status-version 2 --config %i.conf
User=openvpn
Group=network
AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT 
CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT 
CAP_DAC_OVERRIDE CAP_AUDIT_WR>
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
RestartSec=5s
Restart=on-failure

[Install]
WantedBy=multi-user.target

File permissions are as followed:
[root@gatway25 /etc/openvpn/server]# ll
insgesamt 24K
drwxr-x--- 2 openvpn network 4,0K 12. Mai 10:32 ./
drwxr-xr-x 4 root    root    4,0K  5. Mai 20:58 ../
-rw-r--r-- 1 root    root     684  9. Mai 19:11 gateway25.crt
-rw------- 1 root    root     306  9. Mai 19:11 gateway25.key
-rw------- 1 root    root     636 11. Mai 21:04 gateway25.ta.key
-rw-r--r-- 1 root    root    2,4K 12. Mai 11:03 gateway25.conf

Re: [Openvpn-users] OpenVPN 2.6.13 released

[Gatsi J. <gat...@gm...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.13.

This is a bugfix release.

Feature changes:

* on non-windows clients (MacOS, Linux, Unix) send "release" string from
uname()
  call as IV_PLAT_VER to server - while highly OS specific this is still
helpful
  to keep track of OS versions used on the client side (github ​#637)
* Windows: protect cached username, password and token in client memory
(using
  the CryptProtectMemory() windows API)
* Windows: use new API to get dco-win driver version from driver (newly
introduced
  non-exclusive control device) (github ​ovpn-dco-win#76)
* Linux: pass --timeout=0 argument to systemd-ask-password, to avoid
default timeout
  of 90 seconds ("console prompting also has no timeout") (github ​#649)

Security fixes:

* improve server-side handling of clients sending usernames or passwords
longer than
  USER_PASS_LEN - this would not result in a crash, buffer overflow or
other security
  issues, but the server would then misparse incoming IV variables and
produce
  misleading error messages.

Notable bug fixes:

* FreeBSD DCO: fix memory leaks in nvlist handling (github ​#636)
* purge proxy authentication credentials from memory after use
  (if --auth-nocache is in use)

Windows MSI changes since 2.6.12:

* Built against OpenSSL 3.4.0
* Included openvpn-gui updated to 11.51.0.0
  * Higher resolution eye icons (github ​openvpn-gui#697)
  * Support for concatenating OTP with password
  * Optionally always prompt for OTP
  * Fix tooltip positioning when the taskbar is at top (github
​openvpn-gui#710)

Debian/Ubuntu community packages are now available for Ubuntu 24.10
(oracular).

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<
https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories
>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Kind regards,

--
  Frank Lichtenheld

_______________________________________________
Openvpn-users mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openvpn-users

On Thu, Jan 16, 2025, 7:22 PM Frank Lichtenheld <fr...@li...>
wrote:

> The OpenVPN community project team is proud to release OpenVPN 2.6.13.
>
> This is a bugfix release.
>
> Feature changes:
>
> * on non-windows clients (MacOS, Linux, Unix) send "release" string from
> uname()
>   call as IV_PLAT_VER to server - while highly OS specific this is still
> helpful
>   to keep track of OS versions used on the client side (github ​#637)
> * Windows: protect cached username, password and token in client memory
> (using
>   the CryptProtectMemory() windows API)
> * Windows: use new API to get dco-win driver version from driver (newly
> introduced
>   non-exclusive control device) (github ​ovpn-dco-win#76)
> * Linux: pass --timeout=0 argument to systemd-ask-password, to avoid
> default timeout
>   of 90 seconds ("console prompting also has no timeout") (github ​#649)
>
> Security fixes:
>
> * improve server-side handling of clients sending usernames or passwords
> longer than
>   USER_PASS_LEN - this would not result in a crash, buffer overflow or
> other security
>   issues, but the server would then misparse incoming IV variables and
> produce
>   misleading error messages.
>
> Notable bug fixes:
>
> * FreeBSD DCO: fix memory leaks in nvlist handling (github ​#636)
> * purge proxy authentication credentials from memory after use
>   (if --auth-nocache is in use)
>
> Windows MSI changes since 2.6.12:
>
> * Built against OpenSSL 3.4.0
> * Included openvpn-gui updated to 11.51.0.0
>   * Higher resolution eye icons (github ​openvpn-gui#697)
>   * Support for concatenating OTP with password
>   * Optionally always prompt for OTP
>   * Fix tooltip positioning when the taskbar is at top (github
> ​openvpn-gui#710)
>
> Debian/Ubuntu community packages are now available for Ubuntu 24.10
> (oracular).
>
> More details can be found in the Changes document:
>
> <https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>
>
> (The Changes document also contains a section with work-arounds for
> common problems encountered when using OpenVPN with OpenSSL 3)
>
> Source code and Windows installers can be downloaded from our download
> page:
>
> <https://openvpn.net/community-downloads/>
>
> Debian and Ubuntu packages are available in the official apt repositories:
>
> <
> https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories
> >
>
> On Red Hat derivatives we recommend using the Fedora Copr repository.
>
> <https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>
>
> Kind regards,
> --
>   Frank Lichtenheld
>
>
> _______________________________________________
> Openvpn-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>

Re: [Openvpn-users] How to use easyrsa 3.2.2 on new server - questions

[Gatsi J. <gat...@gm...>]

I will make the clarification

On Sat, Apr 5, 2025, 10:24 AM Bo Berglund <bo....@gm...> wrote:

> On Tue, 1 Apr 2025 15:21:26 +0200, David Sommerseth via Openvpn-users
> <ope...@li...> wrote:
>
> >By default on most distributions today, you need to manually create the
> >/var/log/journal directory to enable persistent logging - or set
> >Storage=persistent in /etc/systemd/journald.conf.   Without this, the
> >logging happens only in memory and is wiped across boots.
> >
> >So I strongly recommend you to use the systemd-journal.  It will give
> >you access to all the log entries you're looking for incredibly quickly.
> > And it's a tool you have available out-of-the-box.
>
> Thanks for your description! It seems like I should perhaps stop using
> local
> logging...
>
> Follow-up questions:
>
> 1) If I do create the /var/log/journal dir on the server do I also remove
> the
> log directive in the server.conf file altogether and restart the service?
> And now the log will be handled exclusively by jornalctl?
>
> 2) Does no other services use journalctl and thus create the
> /var/log/journal
> dir? If they do then (since they should have created the dir already) is
> the
> sigle action needed to just remove the log directive from server.conf?
> (and restart the openvpn service)?
>
> 3) On my openvpn server at home I have the same openvpn setup for the
> logging as
> on the smaller remote servers and here I have just checked that there is a
> /var/log/journal dir and it contains a single subdir named
> 60ef45f7ddcb44b69eb486e25a9b4894
> So I have this and I don't know if that is a general logging dir or the one
> openvpn server has created for journalctl...
> What is it, how to find out?
>
> 4) On my main home server I have written a utility that lets me check which
> clients are currently connected and this utility looks like this:
>
> #!/bin/bash
> #List active OpenVPN clients
>
> CMDW="sudo cat /etc/openvpn/log/openvpn-status.log | grep CLIENT_LIST |
> sed -n
> '1!p'"
> CMDL="sudo cat /etc/openvpn/log/ovpn-status_local.log | grep CLIENT_LIST |
> sed
> -n '1!p'"
>
> echo -e "------------------------\nWeb access clients:"
> eval "$CMDW"
> echo -e "\nLocal access clients:"
> eval "$CMDL"
> echo "------------------------"
>
> What is does is to list the currently connected clients such that I can
> choose a
> service restart time when there are no active clients for instance.
>
> But it uses the two status log files specified in the two server instances
> conf
> files (I have one instance for using the VPN as a gateway into the Swedish
> Internet and another to use only for local access to my home LAN).
> Will this be affected if I remove the log directive?
>
> TIA
>
>
> --
> Bo Berglund
> Developer in Sweden
>
>
>
> _______________________________________________
> Openvpn-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>

Re: [Openvpn-users] Using a VPN client connection to reach the remote dir from the VPN server's LAN?

[Rui S. <rs...@ru...>]

Hi Bo,

You sure can!

You appear to have a road warrior configuration on your home device, where
all other remote devices connect to.

However, IMHO, the best way would probably be for you to set up what's
called Site-to-Site connections, one such connection between your home
device and each of the remote PI devices.

You'll need to have different lan addressing space among all networks. This
is important, for example setup a different /24 on each of those LANs.

After this is done, you'll need to setup ip forwarding on all devices
acting as clients too.

After this, setup all remote dhcp's to instruct the lan devices to use each
of it's openvpn's network client to act as a gateway for the LANs involved
on all these connections.
If any of these clients is already the default gateway on it's LAN, then
this is not needed.

Then just setup firewalling on your home device and remote PI clients.

There are other options to accomplish this, but this would be the most
standard and clean way to accomplish all your needs.

If this is done you'll end up with what's called a Hub-and-Spoke.
You'll actually be able to reach all devices on all networks, from within
any device on any network. You'll just limit all communications on the
firewalls.

It's a nice project. Have fun!

Rui Santos
Veni, Vidi, Linux

On Sat, 5 Apr 2025, 09:43 Bo Berglund, <bo....@gm...> wrote:

> This is kind of a super-strange usage question for OpenVPN but I would
> like to
> know if it is possible and if so how do I configure it:
> -------------------------------------------------------
>
> I have a couple of devices (mostly Raspberry Pi units) deployed on a few
> locations outside my home LAN and these connect back home using OpenVPN
> clients
> on them.
>
> While they are connected I can SSH into their command line interface for
> maintenance and checking using their tunnel IP addresses. That is very
> convenient.
>
> But...
> Now I wonder if these clients can be set up such that when they are
> connected to
> my main network through their OpenVPN clients they also act as a gateway
> back
> into the LAN they are sitting on?
>
> That would open up a simpler way to manage the *other* devices on the same
> remote LAN than configuring each of them to connect back home using an
> individual OpenVPN connection that is already connected.
>
> They really do not need to connect back home for the functionality they are
> handling but only if I would like to reach them for config changes etc.
>
> As I *can* connect by SSH through the tunnel back to the device that is
> connected to my home LAN then I could also reach the remote LAN via that
> device.
>
> So for command line access to the other items that would be fine.
> However, some of them do not have a command line entry point (no SSH) but
> only a
> GUI http config interface and that cannot be used via SSH to the vpn
> client.
>
> So can it instead be configured such that I can use my config GUI app at
> home
> chanelled via the client VPN connection back onto the remote LAN to reach
> these
> GUI style devices?
>
> If so how?
>
>
> --
> Bo Berglund
> Developer in Sweden
>
>
>
> _______________________________________________
> Openvpn-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>

[Openvpn-users] Using a VPN client connection to reach the remote dir from the VPN server's LAN?

[Bo B. <bo....@gm...>]

This is kind of a super-strange usage question for OpenVPN but I would like to
know if it is possible and if so how do I configure it:
-------------------------------------------------------

I have a couple of devices (mostly Raspberry Pi units) deployed on a few
locations outside my home LAN and these connect back home using OpenVPN clients
on them.

While they are connected I can SSH into their command line interface for
maintenance and checking using their tunnel IP addresses. That is very
convenient.

But...
Now I wonder if these clients can be set up such that when they are connected to
my main network through their OpenVPN clients they also act as a gateway back
into the LAN they are sitting on?

That would open up a simpler way to manage the *other* devices on the same
remote LAN than configuring each of them to connect back home using an
individual OpenVPN connection that is already connected.

They really do not need to connect back home for the functionality they are
handling but only if I would like to reach them for config changes etc.

As I *can* connect by SSH through the tunnel back to the device that is
connected to my home LAN then I could also reach the remote LAN via that device.

So for command line access to the other items that would be fine.
However, some of them do not have a command line entry point (no SSH) but only a
GUI http config interface and that cannot be used via SSH to the vpn client.

So can it instead be configured such that I can use my config GUI app at home
chanelled via the client VPN connection back onto the remote LAN to reach these
GUI style devices?

If so how?


-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] How to use easyrsa 3.2.2 on new server - questions

[Bo B. <bo....@gm...>]

On Tue, 1 Apr 2025 15:21:26 +0200, David Sommerseth via Openvpn-users
<ope...@li...> wrote:

>By default on most distributions today, you need to manually create the
>/var/log/journal directory to enable persistent logging - or set
>Storage=persistent in /etc/systemd/journald.conf.   Without this, the
>logging happens only in memory and is wiped across boots.
>
>So I strongly recommend you to use the systemd-journal.  It will give
>you access to all the log entries you're looking for incredibly quickly.
> And it's a tool you have available out-of-the-box.

Thanks for your description! It seems like I should perhaps stop using local
logging...

Follow-up questions:

1) If I do create the /var/log/journal dir on the server do I also remove the
log directive in the server.conf file altogether and restart the service?
And now the log will be handled exclusively by jornalctl?

2) Does no other services use journalctl and thus create the /var/log/journal
dir? If they do then (since they should have created the dir already) is the
sigle action needed to just remove the log directive from server.conf?
(and restart the openvpn service)?

3) On my openvpn server at home I have the same openvpn setup for the logging as
on the smaller remote servers and here I have just checked that there is a
/var/log/journal dir and it contains a single subdir named
60ef45f7ddcb44b69eb486e25a9b4894
So I have this and I don't know if that is a general logging dir or the one
openvpn server has created for journalctl...
What is it, how to find out?

4) On my main home server I have written a utility that lets me check which
clients are currently connected and this utility looks like this:

#!/bin/bash
#List active OpenVPN clients

CMDW="sudo cat /etc/openvpn/log/openvpn-status.log | grep CLIENT_LIST | sed -n
'1!p'"
CMDL="sudo cat /etc/openvpn/log/ovpn-status_local.log | grep CLIENT_LIST | sed
-n '1!p'"

echo -e "------------------------\nWeb access clients:"
eval "$CMDW"
echo -e "\nLocal access clients:"
eval "$CMDL"
echo "------------------------"

What is does is to list the currently connected clients such that I can choose a
service restart time when there are no active clients for instance.

But it uses the two status log files specified in the two server instances conf
files (I have one instance for using the VPN as a gateway into the Swedish
Internet and another to use only for local access to my home LAN).
Will this be affected if I remove the log directive?

TIA


-- 
Bo Berglund
Developer in Sweden

[Openvpn-users] OpenVPN 2.6.14 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.14.

This is a bugfix release containing one security fix.

Security fixes:

* CVE-2025-2704: fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2 Security scope: OpenVPN servers
  between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made to abort with an ASSERT() message by sending a particular
  combination of authenticated and malformed packets. To trigger the bug, a valid tls-crypt-v2 client key is needed, or network
  observation of a handshake with a valid tls-crypt-v2 client key. No crypto integrity is violated, no data is leaked, and no remote
  code execution is possible. This bug does not affect OpenVPN clients. (Bug found by internal QA at OpenVPN Inc)

Bug fixes:

* Linux DCO: repair source IP selection for --multihome (Qingfang Deng)

Windows MSI changes since 2.6.13:

* Built against OpenSSL 3.4.1
* Included openvpn-gui updated to 11.52.0.0

    * Use correct %TEMP% directory for debug log file.
    * Disable config in menu listing if its ovpn file becomes inaccessible (github openvpn-gui#729)

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Kind regards,
Yuriy Darnobyt

Re: [Openvpn-users] How to use easyrsa 3.2.2 on new server - questions

[David S. <daz...@eu...>]

On 31/03/2025 13:06, Bo Berglund wrote:
> 
> Now I have looked around in searches and found that apparently my server and
> serverlocal services are controlled by systemd using this common file for the
> services:
> 
> /usr/lib/systemd/system/openvpn-server@.service
> 
> And on my new system that file contains this:
> 
> ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log
> --status-version 2 --suppress-timestamps --config %i.conf
> 
> Notice the --suppress-timestamps item, which I belive is what removes the
> timestamp output.

Since I was involved back in the days introducing the systemd unit
files, I can't let this pass ;)

First, yes - --supress-timestamps is needed otherwise the default
logging (not using files) will have timestamps doubled up.  One from the
syslog (or journald) when receiving the log event and the second one in
the log event line from the OpenVPN process.

Secondly, I would generally strongly recommend AGAINST using the --log
option when having a syslog service or journald running on the system.
If OpenVPN gets under heavy load and need to do lots of logging, that
will impact the performance - since it will need to also do the file
operations to write log entries to the disk.  By letting OpenVPN using
the syslog API instead - it's the responsibility of the logging service
to handle everything related to storing to data properly disk.

Other advantages using the syslog API is that the syslog/journald
service handles log rotation on its own.  With rsyslog, syslog-ng (and
many others) you can also filter out openvpn log entries into a
dedicated log file, if you want that.

Since you use the systemd service files, you have journald enabled by
default today.  That does a very good job at ensuring the disk isn't
filled up with log data.  OpenVPN with --log can fill up the disks if
nobody pays attention to the disk consumption.  And the journalctl
command is a powerful tool to extract all the details you would want.

Just a very quick example:

    # journalctl --since yesterday \
                 --until today \
                 -u ope...@vp...rvice \
                 -g "Control Channel:"

The --since and --until lines will extract only log events which
happened yesterday.  The -u is the systemd unit file to extract log
files from.  This only works when you don't have --log in the OpenVPN
config.  And the -g is "grep", so it extracts only log lines containing
"Control Channel:".  That also supports regex for more advanced filtering.

You can also add additional filtering on meta data not listed in the
"normal" view.  By adding -o json-pretty, you can get an idea of what
might be availabe.  So for example, if you want to look at the log
entries for a specific PID ... journalctl _PID=12345.  To add more
filters, you use the + sign.

Other options I also commonly use are -f and -b.  With -b you can give
-1 to get log entries happening from the previous boot.  -2 gives you
the boot before that again.  --list-boots will list all available boots
in the journal.

The systemd-journal stores a lot more information about processes than
the normal syslog and can also keep the log data compressed on disk,
providing mechanisms to detect external log mangling, etc ... it is
generally the recommended way.

By default on most distributions today, you need to manually create the
/var/log/journal directory to enable persistent logging - or set
Storage=persistent in /etc/systemd/journald.conf.   Without this, the
logging happens only in memory and is wiped across boots.

So I strongly recommend you to use the systemd-journal.  It will give
you access to all the log entries you're looking for incredibly quickly.
 And it's a tool you have available out-of-the-box.


-- 
kind regards,

David Sommerseth
OpenVPN Inc

Re: [Openvpn-users] How to use easyrsa 3.2.2 on new server - questions

[Bo B. <bo....@gm...>]

On Mon, 31 Mar 2025 13:06:46 +0200, Bo Berglund <bo....@gm...> wrote:

>But I have one remaining issue, missing timestamps:
>---------------------------------------------------
>
>The OpenVPN server's logfile and status logfile are *missing timestamps*, which
>makes them difficult to use for troubleshooting.
>
>How can I make each line in the logs start with a timestamp that can be used for
>sorting/searching, like so:
>
>2025-03-31 10:22:19  Some log info
>
>(Notice that the most significant item is at the start and the least in the end
>contrary to the useless USA way of printing complete date-times...)
>
>I tried by adding this to the server.conf file:
>
>suppress-timestamps no
>
>which was suggested to me online...
>
>But that caused the server to not start at all!
>
>In the log:
>
>$ sudo cat server.log
>Options error: Unrecognized option or missing or extra parameter(s) in
>server.conf:42: suppress-timestamps (2.6.3)
>Use --help for more information.
>
>
>And no more logging since the server apparently choked on this.
>
>Took a while to find this out.
>And using the openvpn --help did not help much either.
>
>
>Now I have looked around in searches and found that apparently my server and
>serverlocal services are controlled by systemd using this common file for the
>services:
>
>/usr/lib/systemd/system/openvpn-server@.service
>
>And on my new system that file contains this:
>
>ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log
>--status-version 2 --suppress-timestamps --config %i.conf
>
>Notice the --suppress-timestamps item, which I belive is what removes the
>timestamp output.
>
>Question:
>---------
>Is it safe to edit that file and remove --suppress-timestamp (and I assume
>restart the openvpn instances)?
>
>Or can this cause havoc in my system?
>
>And how is the timestamp format defined?

I finally found online what the least intrusive solution is, so it can be
selectively applied to one of several servers running on the same machine.
It creates an override for the standard ExecStart commend for selected service
instances:

1) Locate the /usr/lib/systemd/system/openvpn-server@.service template file

2) Open it and copy out the line ExecStart= (it contains the
--suppress-timestamps item)
in my case it looks like this:
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log
--status-version 2 --suppress-timestamps --config %i.conf

3) Create an override dir:
sudo mkdir -p /etc/systemd/system/ope...@xx...rvice.d
where xxxx is the name of the conf file, in my case "server".

3) Create an "override" file:
sudo nano /etc/systemd/system/ope...@xx...rvice.d/override.conf
where again xxxx is replaced by the name of the conf file

4) Paste this into the file (the active line content from step 2 above minus the
suppress-timestamps argument. It will look like this:

[Service]
ExecStart=
ExecStart=/usr/sbin/openvpn --status /run/openvpn-server/status-server.log
--status-version 2 --config /etc/openvpn/server/server.conf

Now when the service is restarted the ExecStart item is first reset to blank and
then filled with the original but minus the --suppress-timestamps argument.

I have not yet had time to actually test/verify this but I am writing it down to
check later (so I don't forget the method).

Hopefully this can be the solution that is OK to use.

-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] How to use easyrsa 3.2.2 on new server - questions

[Bo B. <bo....@gm...>]

On Sat, 29 Mar 2025 15:37:38 +0000, tincantech via Openvpn-users
<ope...@li...> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
>On Sat, 29 Mar 2025 10:41:38 +0100, Bo Berglund <bo....@gm...> wrote:
>
>> >But I am struggling to understand the concepts still.
>
>Some help:
>https://github.com/OpenVPN/easy-rsa/blob/master/doc/Intro-To-PKI.md
>
>
>
>> >I tried the section I feel is most similar to my use:
>> >
>> >PKI procedure: Producing your complete PKI on the CA machine
>> >
>> >Now I have done this after creating the vars file from the example with extended
>> >lifetimes set:
>> >
>> >1) ./easyrsa init-pki  (This creates and populates the pki dir)
>> >2) ./easyrsa --nopass build-ca
>> >3) ./easyrsa gen-tls-crypt-key
>> >4) ./easyrsa  --nopass build-server-full HakanNew
>> >5) ./easyrsa build-client-full BosseWien (client for myself)
>> >6) ./easyrsa build-client-full HakanWien (client for my brother-in-law)
>
>That all looks good.

I hoped so...

>> Follow-up
>> ---------
>> I tested it by editing my existing server.conf file and commenting out all of
>> these lines referencing cert files etc:
>> 
>> #Keys, Certificates, directories etc:
>> ca /etc/openvpn/server/serverkeys/ca.crt
>> cert /etc/openvpn/server/serverkeys/HAKANVPN.crt
>> key /etc/openvpn/server/serverkeys/HAKANVPN.key
>> dh /etc/openvpn/server/serverkeys/dh2048.pem
>> tls-auth /etc/openvpn/server/serverkeys/ta.key 0
>> 
>> Instead I copied in the full content of the server's inline file at the end of
>> the server.conf file.
>> 
>> But that only resulted in a total non-starter when trying to start the service
>> so I have probably missed something important...
>
>What error message is given ?


I decided against using inlines, instead went the old way of creating a "keys"
subdir below /etc/openvpn into where I copied the involved files and entered
them with full paths into the server.conf file like before.
And it did work fine.


Now the new RPi4 based replacement VPN server has been transported to Vienna and
after some trouble using my Windows OpenVPN-GUI application (which caches the
OVPN file content so it has to be exited and started fresh in order to recognize
changed file content) I was able to make it work and I can now connect using
both an older RPi2 based server and this new RPi4 based device.

I have used easyrsa 3.2.2 to build the files and I have extended the lifetime a
bit too. Should work for a while.

But I have one remaining issue, missing timestamps:
---------------------------------------------------

The OpenVPN server's logfile and status logfile are *missing timestamps*, which
makes them difficult to use for troubleshooting.

How can I make each line in the logs start with a timestamp that can be used for
sorting/searching, like so:

2025-03-31 10:22:19  Some log info

(Notice that the most significant item is at the start and the least in the end
contrary to the useless USA way of printing complete date-times...)

I tried by adding this to the server.conf file:

suppress-timestamps no

which was suggested to me online...

But that caused the server to not start at all!

In the log:

$ sudo cat server.log
Options error: Unrecognized option or missing or extra parameter(s) in
server.conf:42: suppress-timestamps (2.6.3)
Use --help for more information.


And no more logging since the server apparently choked on this.

Took a while to find this out.
And using the openvpn --help did not help much either.


Now I have looked around in searches and found that apparently my server and
serverlocal services are controlled by systemd using this common file for the
services:

/usr/lib/systemd/system/openvpn-server@.service

And on my new system that file contains this:

ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log
--status-version 2 --suppress-timestamps --config %i.conf

Notice the --suppress-timestamps item, which I belive is what removes the
timestamp output.

Question:
---------
Is it safe to edit that file and remove --suppress-timestamp (and I assume
restart the openvpn instances)?

Or can this cause havoc in my system?

And how is the timestamp format defined?


-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting

[tincantech <tin...@pr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

First, thank you David, for your help.

Also, see below for how Easy-RSA can help, however you choose to
deploy your VPN.


For OpenVPN peer-fingerprint mode:

Please note, Easy-RSA 3.2.2 also has commands:
`self-sign-server` and `self-sign-client`

These will build a server or client cert/key pair that is not signed
by a CA key and can be used in OpenVPN peer-fingerprint mode.

Easy-RSA also writes the certificate fingerprint to the inline file.


For OpenVPN normal CA mode:

And finally, Easy-RSA (On Linux) writes the decimal value of the
certificate serial number to the inline file.  That decimal can be
used for the OpenVPN option --crl-verify, when using the 'dir' flag.

The OpenVPN manual says:
If the optional dir flag is specified, enable a different mode where
the crl-verify is pointed at a directory containing files named as
revoked serial numbers (the files may be empty, the contents are never read).
If a client requests a connection, where the client certificate serial number
(decimal string) is the name of a file present in the directory, it will be
rejected.


Regards

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsC5BAEBCgBtBYJn6KW0CZBPl5z2a5C4nUUUAAAAAAAcACBzYWx0QG5vdGF0
aW9ucy5vcGVucGdwanMub3JnO2OFWmq/UXA95Ff0LBgQaewIqrR41Rrbxkjn
rwYXCegWIQQJvD1EZ6ONcnnFVVVPl5z2a5C4nQAAGqgIAMPDsAnSYpqyiZpQ
9V+KFb6GttpyL8EMxm+JncePmvV7Epn9gYWnK5lv9RDbWlYMgHe20NysZHee
rG7TQTPqq7iY2yv/6Hf0GG5P5DLSN3eSTg5ryG+aD0x9d8YdVAKtlj8dxBgV
efZflcbPOmPrxHkPrrftiTs84T8RruqkNiaE95vlw9Usp/pr7AfZ7Emq9fjp
QRHdHOnZgunJyswfdFll7jCpvaAY7TYimX1vBW/hDmYktvGBfS+eayIjkk1H
AAxz2z/WJMVpf6gzxDO9Cys3HXgpuAQ2mM6DRYikQo36Mw3F1gwpnK5YWu/A
ZUuuNGt4maanRRivwNzQ2BHVYzk=
=ILyL
-----END PGP SIGNATURE-----

Re: [Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting

[David S. <daz...@eu...>]

On 29/03/2025 14:16, Bo Berglund wrote:
[...snip...]
> It seems like that solution is based on the clients being "registered" on the
> server with a fingerprint created client side, but how can you do such things on
> a mobile phone?
> So a Linux client would work but not a phone..

Kinda ... The client config still need a client certificate and a key.
That information will not be created on the mobil device - and that is
exactly the same as with the CA/easy-rsa approach.  You prepare a config
file containing everything, and that file is imported on the mobile device.

What is different is that you run an 'openssl x509' command to retrieve
the SHA-256 fingerprint of the client and server certificates.  The
client certificate fingerprint is put into the <peer-fingerprint> "blob"
in the server config.  And in the client config, the server certificate
fingerprint is given to the peer-fingerprint option.  IIRC, on *older*
OpenVPN versions on the client side (not supporting peer-fingerprint),
the server certificate can be used in the <ca> "blob" in the client config.

> We need the phone to also be able to connect to the server and be geolocated
> there.
> And that has worked for many years using the ovpn file (same file for the client
> irrespective of device used).

That should not be any different.  What peer-fingerprint does is
basically removing the need for client and server certificates to be
signed by a CA.  So the CA certificate is no longer needed when using
peer-fingerprint.  Client and server certificates are self-signed when
using peer-fingerprint.


-- 
kind regards,

David Sommerseth
OpenVPN Inc

Re: [Openvpn-users] How to use easyrsa 3.2.2 on new server - questions

[tincantech <tin...@pr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Sat, 29 Mar 2025 10:41:38 +0100, Bo Berglund <bo....@gm...> wrote:

> >But I am struggling to understand the concepts still.

Some help:
https://github.com/OpenVPN/easy-rsa/blob/master/doc/Intro-To-PKI.md



> >I tried the section I feel is most similar to my use:
> >
> >PKI procedure: Producing your complete PKI on the CA machine
> >
> >Now I have done this after creating the vars file from the example with extended
> >lifetimes set:
> >
> >1) ./easyrsa init-pki  (This creates and populates the pki dir)
> >2) ./easyrsa --nopass build-ca
> >3) ./easyrsa gen-tls-crypt-key
> >4) ./easyrsa  --nopass build-server-full HakanNew
> >5) ./easyrsa build-client-full BosseWien (client for myself)
> >6) ./easyrsa build-client-full HakanWien (client for my brother-in-law)

That all looks good.



> Follow-up
> ---------
> I tested it by editing my existing server.conf file and commenting out all of
> these lines referencing cert files etc:
> 
> #Keys, Certificates, directories etc:
> ca /etc/openvpn/server/serverkeys/ca.crt
> cert /etc/openvpn/server/serverkeys/HAKANVPN.crt
> key /etc/openvpn/server/serverkeys/HAKANVPN.key
> dh /etc/openvpn/server/serverkeys/dh2048.pem
> tls-auth /etc/openvpn/server/serverkeys/ta.key 0
> 
> Instead I copied in the full content of the server's inline file at the end of
> the server.conf file.
> 
> But that only resulted in a total non-starter when trying to start the service
> so I have probably missed something important...

What error message is given ?



> >ALSO:
> >-----
> >A bit down in the document above I found a link to another github script
> >Easy-TLS, which seems to be needed to do something TLS related ("add the
> >finishing touches to your PKI").

You do not need Easy-TLS.

Easy-TLS is only of any value if you want to use TLS-Crypt-v2 TLS keys.



I also recommend that you consider using OpenVPN peer-fingerprint mode.
One advantage is that expired certificates continue to work, until you
decide to remove their fingerprint from the server.

Or, you could instead try using https://github.com/pivpn/pivpn
pivpn would probably be ideal for you.

R
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsC5BAEBCgBtBYJn6BOwCZBPl5z2a5C4nUUUAAAAAAAcACBzYWx0QG5vdGF0
aW9ucy5vcGVucGdwanMub3JnQ+lw2lD0+UmqygCzs+1vkDPNyWd7qXo3fMzy
UwmjZyoWIQQJvD1EZ6ONcnnFVVVPl5z2a5C4nQAA2TMIAIfGrKzBKxWTszUy
0XRz2e07e2aZ7Iwl62nQK+LkHDCkVx7rqwMtUkjkjX57rGGmRh2PalBJHq1b
eokXN3AJQYkmwosnaqbe+OPShDi66wJ3wuazBRBb71HxH1v3hVFK2CbWJa2I
FVmcl12/UKrj0b9uP0VqmDxFlDDoKHL2xB8sZmQV+wVrqt5bU+i1O35rypXK
EqR2lxdTeXexxf9dfRUjAlaY3VNwQNswINeQCyeoWw91gFZRlEDnBrVDTFvM
nUjAmf1ykfeCP3Fd+dy36KOPCrcI0CTHf+tAAQf9agEOAz04lT0YytErb0vh
DAlusYoA+Knzq4Yoyg2Nail/AQc=
=6wdi
-----END PGP SIGNATURE-----

Re: [Openvpn-users] How to use easyrsa 3.2.2 on new server - questions

[Bo B. <bo....@gm...>]

On Sat, 29 Mar 2025 10:41:38 +0100, Bo Berglund <bo....@gm...> wrote:

>I am trying to understand how to use easyrsa 3.2.2 downloaded from github on a
>freshly built RPi4B running PiOS Lite in order to create an OpenVPN server for
>private use as described in a parallel thread.
>
>Now I have read the description document here:
>https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
>
>and tried to use it to set up a very simple system with two clients (myself and
>my brother in law).
>But I am struggling to understand the concepts still.
>
>I tried the section I feel is most similar to my use:
>
>PKI procedure: Producing your complete PKI on the CA machine
>
>Now I have done this after creating the vars file from the example with extended
>lifetimes set:
>
>1) ./easyrsa init-pki  (This creates and populates the pki dir)
>2) ./easyrsa --nopass build-ca
>3) ./easyrsa gen-tls-crypt-key
>4) ./easyrsa  --nopass build-server-full HakanNew
>5) ./easyrsa build-client-full BosseWien (client for myself)
>6) ./easyrsa build-client-full HakanWien (client for my brother-in-law)
>
>Now what?
>In the old times I had to copy some crypto files to the /etc/openvpn/keys dir to
>be used by the server (files listed in the server.conf file).
>
>The build-client-full command seems to generate an inline file for each client
>as well as for the server itself.
>What do I do with these?
>
>Do I put the server's inline file *content* into the server.conf file itself and
>skip listing the file locations?
>I.e. no longer a "keys" dir inside /etc/openvpn?
>
>I.e. is the idea here that the server.conf file shall be self-contained, not
>needing any cert/key files found by a file path?

Follow-up
---------
I tested it by editing my existing server.conf file and commenting out all of
these lines referencing cert files etc:

#Keys, Certificates, directories etc:
ca       /etc/openvpn/server/serverkeys/ca.crt
cert     /etc/openvpn/server/serverkeys/HAKANVPN.crt
key      /etc/openvpn/server/serverkeys/HAKANVPN.key
dh       /etc/openvpn/server/serverkeys/dh2048.pem
tls-auth /etc/openvpn/server/serverkeys/ta.key 0

Instead I copied in the full content of the server's inline file at the end of
the server.conf  file.

But that only resulted in a total non-starter when trying to start the service
so I have probably missed something important...


>And the same for the OVPN client connection files?
>
>Do I for instance add my client config items to the top of the inline file and
>rename it as an ovpn file?
>
>Or what is the next step for me to get a server running properly and something
>to put into the ovpn files? 
>
>ALSO:
>-----
>A bit down in the document above I found a link to another github script
>Easy-TLS, which seems to be needed to do something TLS related ("add the
>finishing touches to your PKI").
>
>But here I am lost, what is it needed for and how do I use it in my simple case?
>The inline files created above do contain a <tls-crypt> section already....
>
>Grateful for a bit of clarification.


-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting

[Bo B. <bo....@gm...>]

On Sat, 29 Mar 2025 12:56:01 +0100, Stefanie Leisestreichler
<ste...@pe...> wrote:

>Hi Bo.
>I would like to recommend another setup for your installation, without 
>all the implications coming with an own pki...
>This is save and can be handled very simple:
>https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst

It seems like that solution is based on the clients being "registered" on the
server with a fingerprint created client side, but how can you do such things on
a mobile phone?
So a Linux client would work but not a phone..
We need the phone to also be able to connect to the server and be geolocated
there.
And that has worked for many years using the ovpn file (same file for the client
irrespective of device used).


-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting

[Stefanie L. <ste...@pe...>]

On 3/29/25 08:07, Bo Berglund wrote:
> On Sat, 29 Mar 2025 00:30:13 +0100, Bo Berglund <bo....@gm...> wrote:
> 
>> On Fri, 28 Mar 2025 18:09:16 -0400, "Dan Langille" <da...@la...> wrote:
>>
>>> On my phone: I suspect you’re using a newer openvpn version.
>>> It is complaining about your CA. I think it wants a CA created with a newer algorithm.
>>> Wait for confirmation by others.
>>
>> Is this because openvpn itself is newer than the one on RPi2?
>> rpi4 version: OpenVPN 2.6.3
>> rpi2 version: OpenVPN 2.4.7
>>
>> I tried to use the old cert/key etc files on the new server...
>> (To make it accept connections using the old ovpn files.)
>>
>> If I create a new CA then will not the complete infrastructure need to be
>> rebuilt including the ovpn connection files?
>>
>> I was hoping that the same files could be used for either server just by
>> changing the connection port on the server.
>>
>> But in this case it seems like the server does not even start properly so the
>> connection too does not proceed. And maybe it is the phone that barfs at the
>> cert in the openvpn file and does not proceed towards the server? So the error
>> is not from the server?
>>
>> What would be the proper way to deal with this, in the end I figured there could
>> be two connection points served by the two RPi devices and using the same ovepn
>> files except for the connection port.
>>
>> It was such a long time since I started from scratch now, I even created a
>> script back then to help in creating new client files but that does only work on
>> the old kind of files.
> 
> I decided to build a new server from scratch using easyrsa 3.2.2.
> And I can't get it using apt because the most recent version there is 3.1.0-1,
> which is way too old...
> 
> So I downloaded easyrsa 3.2.2 from github to my $HOME/openvpn dir, but I got
> stuck following these actions:
> 
> - Copy the vars.example file to vars
> 
> - Edit the vars file to extend the life of the certs:
> set_var EASYRSA_CA_EXPIRE       5475  #15 years
> set_var EASYRSA_CERT_EXPIRE     5110  #14 years
> 
> - Then started the process:
> - $ ./easyrsa init-pki
> - $ ./easyrsa --nopass build-ca  (is this correct? no password?)
> - $ ./easyrsa gen-tls-crypt-key
> - next step is what?
> 
>>From now on I am getting confused as to the password usage, I want to in the end
> generate user logins in an ovpn file where the user needs to enter a password on
> connect. This password can be cached by the openvpn client used as is the case
> on a Windows or Linux PC, but it needs to be there to safeguard against use by
> an unknown person.
> It seems like there is a --nopass argument to *all* the commands and I don't
> know when it is appropriate to use that.
> 
> Is there a webpage anywhere "easyrsa 3.2.2 for dummies" where one can get a
> complete sequence of commands to wind up with a usable OpenVPN server and user
> ovpn files with password protection (for the ovpn files)?
> 
> I have looked around but what I found seems to be for older easy-rsa versions...
> 
> 
> I have read the "official" page:
>   https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
> 
> But it uses terminology that I don't understand about "systems", I just want to
> create an OpenVPN server that allows 1-2 users to connect from outside to the
> home server and from there access the local LAN as well as the Internet but as
> if actually being at home. I.e. in this case to be able to use the Internet as
> if located in Vienna.
> 
> There is no "organization" or such involved here...
> And what is meant by "system" in the descriptions? Sounds like they use several
> computers...
> 
> 

Hi Bo.
I would like to recommend another setup for your installation, without 
all the implications coming with an own pki...
This is save and can be handled very simple:
https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst

Maybe you give it a try.

[Openvpn-users] How to use easyrsa 3.2.2 on new server - questions

[Bo B. <bo....@gm...>]

I am trying to understand how to use easyrsa 3.2.2 downloaded from github on a
freshly built RPi4B running PiOS Lite in order to create an OpenVPN server for
private use as described in a parallel thread.

Now I have read the description document here:
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

and tried to use it to set up a very simple system with two clients (myself and
my brother in law).
But I am struggling to understand the concepts still.

I tried the section I feel is most similar to my use:

PKI procedure: Producing your complete PKI on the CA machine

Now I have done this after creating the vars file from the example with extended
lifetimes set:

1) ./easyrsa init-pki  (This creates and populates the pki dir)
2) ./easyrsa --nopass build-ca
3) ./easyrsa gen-tls-crypt-key
4) ./easyrsa  --nopass build-server-full HakanNew
5) ./easyrsa build-client-full BosseWien (client for myself)
6) ./easyrsa build-client-full HakanWien (client for my brother-in-law)

Now what?
In the old times I had to copy some crypto files to the /etc/openvpn/keys dir to
be used by the server (files listed in the server.conf file).

The build-client-full command seems to generate an inline file for each client
as well as for the server itself.
What do I do with these?

Do I put the server's inline file *content* into the server.conf file itself and
skip listing the file locations?
I.e. no longer a "keys" dir inside /etc/openvpn?

I.e. is the idea here that the server.conf file shall be self-contained, not
needing any cert/key files found by a file path?

And the same for the OVPN client connection files?

Do I for instance add my client config items to the top of the inline file and
rename it as an ovpn file?

Or what is the next step for me to get a server running properly and something
to put into the ovpn files? 

ALSO:
-----
A bit down in the document above I found a link to another github script
Easy-TLS, which seems to be needed to do something TLS related ("add the
finishing touches to your PKI").

But here I am lost, what is it needed for and how do I use it in my simple case?
The inline files created above do contain a <tls-crypt> section already....

Grateful for a bit of clarification.

-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting

[Bo B. <bo....@gm...>]

On Sat, 29 Mar 2025 00:30:13 +0100, Bo Berglund <bo....@gm...> wrote:

>On Fri, 28 Mar 2025 18:09:16 -0400, "Dan Langille" <da...@la...> wrote:
>
>> On my phone: I suspect you’re using a newer openvpn version. 
>> It is complaining about your CA. I think it wants a CA created with a newer algorithm. 
>> Wait for confirmation by others. 
>
>Is this because openvpn itself is newer than the one on RPi2?
>rpi4 version: OpenVPN 2.6.3
>rpi2 version: OpenVPN 2.4.7
>
>I tried to use the old cert/key etc files on the new server...
>(To make it accept connections using the old ovpn files.)
>
>If I create a new CA then will not the complete infrastructure need to be
>rebuilt including the ovpn connection files?
>
>I was hoping that the same files could be used for either server just by
>changing the connection port on the server.
>
>But in this case it seems like the server does not even start properly so the
>connection too does not proceed. And maybe it is the phone that barfs at the
>cert in the openvpn file and does not proceed towards the server? So the error
>is not from the server?
>
>What would be the proper way to deal with this, in the end I figured there could
>be two connection points served by the two RPi devices and using the same ovepn
>files except for the connection port.
>
>It was such a long time since I started from scratch now, I even created a
>script back then to help in creating new client files but that does only work on
>the old kind of files.

I decided to build a new server from scratch using easyrsa 3.2.2.
And I can't get it using apt because the most recent version there is 3.1.0-1,
which is way too old...

So I downloaded easyrsa 3.2.2 from github to my $HOME/openvpn dir, but I got
stuck following these actions:

- Copy the vars.example file to vars

- Edit the vars file to extend the life of the certs:
set_var EASYRSA_CA_EXPIRE       5475  #15 years
set_var EASYRSA_CERT_EXPIRE     5110  #14 years

- Then started the process:
- $ ./easyrsa init-pki
- $ ./easyrsa --nopass build-ca  (is this correct? no password?)
- $ ./easyrsa gen-tls-crypt-key
- next step is what?

>From now on I am getting confused as to the password usage, I want to in the end
generate user logins in an ovpn file where the user needs to enter a password on
connect. This password can be cached by the openvpn client used as is the case
on a Windows or Linux PC, but it needs to be there to safeguard against use by
an unknown person.
It seems like there is a --nopass argument to *all* the commands and I don't
know when it is appropriate to use that.

Is there a webpage anywhere "easyrsa 3.2.2 for dummies" where one can get a
complete sequence of commands to wind up with a usable OpenVPN server and user
ovpn files with password protection (for the ovpn files)?

I have looked around but what I found seems to be for older easy-rsa versions...


I have read the "official" page:
 https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

But it uses terminology that I don't understand about "systems", I just want to
create an OpenVPN server that allows 1-2 users to connect from outside to the
home server and from there access the local LAN as well as the Internet but as
if actually being at home. I.e. in this case to be able to use the Internet as
if located in Vienna.

There is no "organization" or such involved here...
And what is meant by "system" in the descriptions? Sounds like they use several
computers...


-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting

[Bo B. <bo....@gm...>]

On Fri, 28 Mar 2025 18:09:16 -0400, "Dan Langille" <da...@la...> wrote:

> On my phone: I suspect you’re using a newer openvpn version. 
> It is complaining about your CA. I think it wants a CA created with a newer algorithm. 
> Wait for confirmation by others. 

Is this because openvpn itself is newer than the one on RPi2?
rpi4 version: OpenVPN 2.6.3
rpi2 version: OpenVPN 2.4.7

I tried to use the old cert/key etc files on the new server...
(To make it accept connections using the old ovpn files.)

If I create a new CA then will not the complete infrastructure need to be
rebuilt including the ovpn connection files?

I was hoping that the same files could be used for either server just by
changing the connection port on the server.

But in this case it seems like the server does not even start properly so the
connection too does not proceed. And maybe it is the phone that barfs at the
cert in the openvpn file and does not proceed towards the server? So the error
is not from the server?

What would be the proper way to deal with this, in the end I figured there could
be two connection points served by the two RPi devices and using the same ovepn
files except for the connection port.

It was such a long time since I started from scratch now, I even created a
script back then to help in creating new client files but that does only work on
the old kind of files.


-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting

[Dan L. <da...@la...>]

On my phone: I suspect you’re using a newer openvpn version. It is complaining about your CA. I think it wants a CA created with a newer algorithm. 

Wait for confirmation by others. 

On Fri, Mar 28, 2025, at 5:50 PM, Bo Berglund wrote:
> Hi,
> I have a problem on a new server trying to use an old server's config...
>
> Back in 2019 I created an RPi2 based OVPN server for use by my brother-in-law to
> connect back to his home in Vienna while traveling abroad.
> It has worked fine for a long time but recently the RPi2 has acted up and the
> service stopped occationally until someone (his son) could go over and restart
> the RPi2 device. This happened repeatedly.
>
> So to improve this I have started up a new RPi4B with the most recent PiOS Lite
> (server style - no gui components).
> On this I have installed openvpn via apt and I have copied over the "crypto"
> files to directory /etc/openvpn/server/serverkeys.
> I did so by (as sudo) creating a tar.gz file containing /etc/openvpn on the old
> RPi2.
>
> Then I have configured a server.conf file based on the old file on the RPi2 but
> with some enhancements from recent times by looking at a conf file on my new
> OVPN server here at home, which works just fine.
>
> For a test I have started the service with the RPi4 on my home LAN so I have
> edited the conf file to reflect my own LAN configuration network wise.
>
> Then I have copied my ovpn file for the old server in Vienna and edited it so it
> points to my own server and uses the correct port etc to be used for testing
> here.
>
> Now when I try to connect from my phone using this ovpn file modified to point
> to my own url it stops with an error message:
>
> ---------------------------------------------------------------
> There was an error attempting to connect to
> the selected server.
>
> Error message:
> "You are using an insecure hash algorithm for the CA signature.
> Regenerate the CA certificate with a secure hash algorithm."
> ----------------------------------------------------------------
>
> I do not know *where* the problem is located in this case.
> Nor what exactly I have to do.
> Which signature is a problem? Something on the server or inside the
> ovpn file I use to connect?
>
> I used a copy of the ovpn file working towards the RPi2 device (which fully
> works right now), where I just changed the port number to match what I have
> forwarded on my router and switched the connection URL to my home system.
>
>
>
> Here is my server.conf file:
> ---------------------------
> port 1193
> proto udp
> dev tun
> topology subnet
>
> #Keys, Certificates, directories etc
> ca       /etc/openvpn/server/serverkeys/ca.crt
> cert     /etc/openvpn/server/serverkeys/HAKANVPN.crt
> key      /etc/openvpn/server/serverkeys/HAKANVPN.key
> dh       /etc/openvpn/server/serverkeys/dh2048.pem
> tls-auth /etc/openvpn/server/serverkeys/ta.key 0
> cipher AES-256-CBC
> #Other files/dirs:
> client-config-dir /etc/openvpn/ccd
> status   /etc/openvpn/log/server-status.log 20
> log      /etc/openvpn/log/server.log
> verb 3   #Verbosity of log content
> max-clients 20
> key-direction 0
> persist-key
> persist-tun
>
> #Server's internal network:
> server 10.8.113.0 255.255.255.0 'nopool'
> ifconfig-pool 10.8.113.10 10.8.113.127 255.255.255.0
> ifconfig-pool-persist /etc/openvpn/server/ipp.txt
> push "route 10.8.113.0 255.255.255.0"
> push "route 10.8.113.1 255.255.255.255"
> push "route 192.168.119.0 255.255.255.0"
> push "dhcp-option DNS 192.168.119.1"  # When testing at home
> push "redirect-gateway def1 bypass-dhcp"
> push "dhcp-option DNS 208.67.222.222"
> push "dhcp-option DNS 208.67.220.220"
> comp-lzo no
> push "comp-lzo no"
> duplicate-cn
> keepalive 10 120
> ---------------------------------------------------------------
>
> Here is the content of the ovpn file used on the phone:
> ---------------------------------------------------------------
> client
> dev tun
> proto udp
> myhomedomain 1093
> resolv-retry infinite
> nobind
> persist-key
> persist-tun
> mute-replay-warnings
> auth-nocache
> remote-cert-tls server
> key-direction 1
> cipher AES-256-CBC
> verb 2
> mute 20
> explicit-exit-notify 1
>
> <ca>
> -----BEGIN CERTIFICATE-----
> MIIG4DCCBMigAwIBAgIUbFjR74pEthxrXy5wTGb2jx92Ty0wDQYJKoZIhvcNAQEL
> ....
> wcq/MyVJlLSaD/8QlhwIy38repxvLEZEEodBJO4laZrdmeb9
> -----END CERTIFICATE-----
> </ca>
> <cert>
> -----BEGIN CERTIFICATE-----
> MIIHEzCCBPugAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBnjELMAkGA1UEBhMCQVQx
> ....
> Cmed45LdJCnOG/vunkpXLM1EvtK/WSo4Hynwoi7axIVlC/6fVA72
> -----END CERTIFICATE-----
> </cert>
> <key>
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,E1369C0CE0B22D49
> ....
> XaE3Qw06HkP6bzXhxZWwQT9Tf1QiS1XSmhHCp76I8BPkSEr1hl6Z6C6RqLZKi6wO
> -----END RSA PRIVATE KEY-----
> </key>
> <tls-auth>
> #
> # 2048 bit OpenVPN static key
> #
> -----BEGIN OpenVPN Static key V1-----
> 366cadc0ebfed57a493fdb05cedd25d9
> ....
> 9ea060f01c0fcaba71f39b7d6ac92f98
> -----END OpenVPN Static key V1-----
> </tls-auth>
>
> ---------------------------------------------------------------
>
> This is what is in the log file 
> (there are no timestamps so I don't know *when* it was logged):
> -------------------------------------------------------------------------------
> DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers
> (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher
> negotiations.
> Note: '--allow-compression' is not set to 'no', disabling data channel offload.
> Consider using the '--compress migrate' option.
> OpenVPN 2.6.3 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL]
> [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
> library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10
> DCO version: N/A
> WARNING: using --duplicate-cn and --client-config-dir together is probably not
> what you want
> WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
> net_route_v4_best_gw query: dst 0.0.0.0
> net_route_v4_best_gw result: via 192.168.119.1 dev eth0
> Diffie-Hellman initialized with 2048 bit key
> OpenSSL: error:0A00018E:SSL routines::ca md too weak
> Cannot load certificate file /etc/openvpn/server/serverkeys/HAKANVPN.crt
> Exiting due to fatal error
> -------------------------------------------------------------------------------
> And finally this is what I get with
>
> sudo systemctl status ope...@se...rvice
> -------------------------------------------------------------------------------
>  ope...@se...rvice - OpenVPN service for server
>      Loaded: loaded (/lib/systemd/system/openvpn-server@.service; enabled;
> preset: enabled)
>      Active: activating (auto-restart) (Result: exit-code) since Fri 2025-03-28
> 22:41:14 CET; 2s ago
>        Docs: man:openvpn(8)
>              https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
>              https://community.openvpn.net/openvpn/wiki/HOWTO
>     Process: 20876 ExecStart=/usr/sbin/openvpn --status
> /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps
> --config server.conf (code=exited, status=1/FAILURE)
>    Main PID: 20876 (code=exited, status=1/FAILURE)
>      Status: "Pre-connection initialization successful"
>         CPU: 90ms
> --------------------------------------------------------------------------------
>
> Where should I look for the problem?
> And a solution.....
>
> TIA
>
>
> -- 
> Bo Berglund
> Developer in Sweden
>
>
>
> _______________________________________________
> Openvpn-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

-- 
  Dan Langille
  da...@la...

[Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting

[Bo B. <bo....@gm...>]

Hi,
I have a problem on a new server trying to use an old server's config...

Back in 2019 I created an RPi2 based OVPN server for use by my brother-in-law to
connect back to his home in Vienna while traveling abroad.
It has worked fine for a long time but recently the RPi2 has acted up and the
service stopped occationally until someone (his son) could go over and restart
the RPi2 device. This happened repeatedly.

So to improve this I have started up a new RPi4B with the most recent PiOS Lite
(server style - no gui components).
On this I have installed openvpn via apt and I have copied over the "crypto"
files to directory /etc/openvpn/server/serverkeys.
I did so by (as sudo) creating a tar.gz file containing /etc/openvpn on the old
RPi2.

Then I have configured a server.conf file based on the old file on the RPi2 but
with some enhancements from recent times by looking at a conf file on my new
OVPN server here at home, which works just fine.

For a test I have started the service with the RPi4 on my home LAN so I have
edited the conf file to reflect my own LAN configuration network wise.

Then I have copied my ovpn file for the old server in Vienna and edited it so it
points to my own server and uses the correct port etc to be used for testing
here.

Now when I try to connect from my phone using this ovpn file modified to point
to my own url it stops with an error message:

---------------------------------------------------------------
There was an error attempting to connect to
the selected server.

Error message:
"You are using an insecure hash algorithm for the CA signature.
Regenerate the CA certificate with a secure hash algorithm."
----------------------------------------------------------------

I do not know *where* the problem is located in this case.
Nor what exactly I have to do.
Which signature is a problem? Something on the server or inside the
ovpn file I use to connect?

I used a copy of the ovpn file working towards the RPi2 device (which fully
works right now), where I just changed the port number to match what I have
forwarded on my router and switched the connection URL to my home system.



Here is my server.conf file:
---------------------------
port 1193
proto udp
dev tun
topology subnet

#Keys, Certificates, directories etc
ca       /etc/openvpn/server/serverkeys/ca.crt
cert     /etc/openvpn/server/serverkeys/HAKANVPN.crt
key      /etc/openvpn/server/serverkeys/HAKANVPN.key
dh       /etc/openvpn/server/serverkeys/dh2048.pem
tls-auth /etc/openvpn/server/serverkeys/ta.key 0
cipher AES-256-CBC
#Other files/dirs:
client-config-dir /etc/openvpn/ccd
status   /etc/openvpn/log/server-status.log 20
log      /etc/openvpn/log/server.log
verb 3   #Verbosity of log content
max-clients 20
key-direction 0
persist-key
persist-tun

#Server's internal network:
server 10.8.113.0 255.255.255.0 'nopool'
ifconfig-pool 10.8.113.10 10.8.113.127 255.255.255.0
ifconfig-pool-persist /etc/openvpn/server/ipp.txt
push "route 10.8.113.0 255.255.255.0"
push "route 10.8.113.1 255.255.255.255"
push "route 192.168.119.0 255.255.255.0"
push "dhcp-option DNS 192.168.119.1"  # When testing at home
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
comp-lzo no
push "comp-lzo no"
duplicate-cn
keepalive 10 120
---------------------------------------------------------------

Here is the content of the ovpn file used on the phone:
---------------------------------------------------------------
client
dev tun
proto udp
myhomedomain 1093
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
auth-nocache
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
verb 2
mute 20
explicit-exit-notify 1

<ca>
-----BEGIN CERTIFICATE-----
MIIG4DCCBMigAwIBAgIUbFjR74pEthxrXy5wTGb2jx92Ty0wDQYJKoZIhvcNAQEL
....
wcq/MyVJlLSaD/8QlhwIy38repxvLEZEEodBJO4laZrdmeb9
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIHEzCCBPugAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBnjELMAkGA1UEBhMCQVQx
....
Cmed45LdJCnOG/vunkpXLM1EvtK/WSo4Hynwoi7axIVlC/6fVA72
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E1369C0CE0B22D49
....
XaE3Qw06HkP6bzXhxZWwQT9Tf1QiS1XSmhHCp76I8BPkSEr1hl6Z6C6RqLZKi6wO
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
366cadc0ebfed57a493fdb05cedd25d9
....
9ea060f01c0fcaba71f39b7d6ac92f98
-----END OpenVPN Static key V1-----
</tls-auth>

---------------------------------------------------------------

This is what is in the log file 
(there are no timestamps so I don't know *when* it was logged):
-------------------------------------------------------------------------------
DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers
(AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher
negotiations.
Note: '--allow-compression' is not set to 'no', disabling data channel offload.
Consider using the '--compress migrate' option.
OpenVPN 2.6.3 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL]
[PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10
DCO version: N/A
WARNING: using --duplicate-cn and --client-config-dir together is probably not
what you want
WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: via 192.168.119.1 dev eth0
Diffie-Hellman initialized with 2048 bit key
OpenSSL: error:0A00018E:SSL routines::ca md too weak
Cannot load certificate file /etc/openvpn/server/serverkeys/HAKANVPN.crt
Exiting due to fatal error
-------------------------------------------------------------------------------
And finally this is what I get with

sudo systemctl status ope...@se...rvice
-------------------------------------------------------------------------------
 ope...@se...rvice - OpenVPN service for server
     Loaded: loaded (/lib/systemd/system/openvpn-server@.service; enabled;
preset: enabled)
     Active: activating (auto-restart) (Result: exit-code) since Fri 2025-03-28
22:41:14 CET; 2s ago
       Docs: man:openvpn(8)
             https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
             https://community.openvpn.net/openvpn/wiki/HOWTO
    Process: 20876 ExecStart=/usr/sbin/openvpn --status
/run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps
--config server.conf (code=exited, status=1/FAILURE)
   Main PID: 20876 (code=exited, status=1/FAILURE)
     Status: "Pre-connection initialization successful"
        CPU: 90ms
--------------------------------------------------------------------------------

Where should I look for the problem?
And a solution.....

TIA


-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] Migrating OpenVPN server - easyrsa question...

[David S. <daz...@eu...>]

On 19/03/2025 23:02, David Sommerseth wrote:
> On 19/03/2025 15:23, Bo Berglund wrote:
> [...]
>>
>> On 3rd thought I realized that I have almost 3 years remaining on the life of my
>> certs (expire jan 2028) and I will save time now by just transplanting the OVPN
>> infrastructure over to the new server and changing the port-forward on the
>> router to the new IP address.
> 
> This is more an advice for when you're doing a new VPN setup ...
> 
> Ask yourself if you really need the CA layer at all - if you would skip
> it if you could.  If the answer is "Yes, please!", then you should look
> into the feature which I believe arrived in OpenVPN 2.6
> 
>      --peer-fingerprint
> 
> That just requires clients to have the server-side certificate
> fingerprint listed and the server the fingerprints of all the clients it
> accepts.  And that's it.  Both clients and servers will need the
> key/cert files, but the certs can now be self-signed.
> 
> There will be a lifetime on the client/server certs itself - so you need
> to consider carefully how long you want your client and server
> certificates to be valid.

I forgot to add a link with more details:

<https://github.com/openvpn/openvpn/blob/master/doc/man-sections/example-fingerprint.rst>


-- 
kind regards,

David Sommerseth
OpenVPN Inc