openvpn-users — OpenVPN users list

Re: [Openvpn-users] How to use easyrsa 3.2.2 on new server - questions

[Gatsi J. <gat...@gm...>]

I will make the clarification

On Sat, Apr 5, 2025, 10:24 AM Bo Berglund <bo....@gm...> wrote:

> On Tue, 1 Apr 2025 15:21:26 +0200, David Sommerseth via Openvpn-users
> <ope...@li...> wrote:
>
> >By default on most distributions today, you need to manually create the
> >/var/log/journal directory to enable persistent logging - or set
> >Storage=persistent in /etc/systemd/journald.conf.   Without this, the
> >logging happens only in memory and is wiped across boots.
> >
> >So I strongly recommend you to use the systemd-journal.  It will give
> >you access to all the log entries you're looking for incredibly quickly.
> > And it's a tool you have available out-of-the-box.
>
> Thanks for your description! It seems like I should perhaps stop using
> local
> logging...
>
> Follow-up questions:
>
> 1) If I do create the /var/log/journal dir on the server do I also remove
> the
> log directive in the server.conf file altogether and restart the service?
> And now the log will be handled exclusively by jornalctl?
>
> 2) Does no other services use journalctl and thus create the
> /var/log/journal
> dir? If they do then (since they should have created the dir already) is
> the
> sigle action needed to just remove the log directive from server.conf?
> (and restart the openvpn service)?
>
> 3) On my openvpn server at home I have the same openvpn setup for the
> logging as
> on the smaller remote servers and here I have just checked that there is a
> /var/log/journal dir and it contains a single subdir named
> 60ef45f7ddcb44b69eb486e25a9b4894
> So I have this and I don't know if that is a general logging dir or the one
> openvpn server has created for journalctl...
> What is it, how to find out?
>
> 4) On my main home server I have written a utility that lets me check which
> clients are currently connected and this utility looks like this:
>
> #!/bin/bash
> #List active OpenVPN clients
>
> CMDW="sudo cat /etc/openvpn/log/openvpn-status.log | grep CLIENT_LIST |
> sed -n
> '1!p'"
> CMDL="sudo cat /etc/openvpn/log/ovpn-status_local.log | grep CLIENT_LIST |
> sed
> -n '1!p'"
>
> echo -e "------------------------\nWeb access clients:"
> eval "$CMDW"
> echo -e "\nLocal access clients:"
> eval "$CMDL"
> echo "------------------------"
>
> What is does is to list the currently connected clients such that I can
> choose a
> service restart time when there are no active clients for instance.
>
> But it uses the two status log files specified in the two server instances
> conf
> files (I have one instance for using the VPN as a gateway into the Swedish
> Internet and another to use only for local access to my home LAN).
> Will this be affected if I remove the log directive?
>
> TIA
>
>
> --
> Bo Berglund
> Developer in Sweden
>
>
>
> _______________________________________________
> Openvpn-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>

Re: [Openvpn-users] Using a VPN client connection to reach the remote dir from the VPN server's LAN?

[Rui S. <rs...@ru...>]

Hi Bo,

You sure can!

You appear to have a road warrior configuration on your home device, where
all other remote devices connect to.

However, IMHO, the best way would probably be for you to set up what's
called Site-to-Site connections, one such connection between your home
device and each of the remote PI devices.

You'll need to have different lan addressing space among all networks. This
is important, for example setup a different /24 on each of those LANs.

After this is done, you'll need to setup ip forwarding on all devices
acting as clients too.

After this, setup all remote dhcp's to instruct the lan devices to use each
of it's openvpn's network client to act as a gateway for the LANs involved
on all these connections.
If any of these clients is already the default gateway on it's LAN, then
this is not needed.

Then just setup firewalling on your home device and remote PI clients.

There are other options to accomplish this, but this would be the most
standard and clean way to accomplish all your needs.

If this is done you'll end up with what's called a Hub-and-Spoke.
You'll actually be able to reach all devices on all networks, from within
any device on any network. You'll just limit all communications on the
firewalls.

It's a nice project. Have fun!

Rui Santos
Veni, Vidi, Linux

On Sat, 5 Apr 2025, 09:43 Bo Berglund, <bo....@gm...> wrote:

> This is kind of a super-strange usage question for OpenVPN but I would
> like to
> know if it is possible and if so how do I configure it:
> -------------------------------------------------------
>
> I have a couple of devices (mostly Raspberry Pi units) deployed on a few
> locations outside my home LAN and these connect back home using OpenVPN
> clients
> on them.
>
> While they are connected I can SSH into their command line interface for
> maintenance and checking using their tunnel IP addresses. That is very
> convenient.
>
> But...
> Now I wonder if these clients can be set up such that when they are
> connected to
> my main network through their OpenVPN clients they also act as a gateway
> back
> into the LAN they are sitting on?
>
> That would open up a simpler way to manage the *other* devices on the same
> remote LAN than configuring each of them to connect back home using an
> individual OpenVPN connection that is already connected.
>
> They really do not need to connect back home for the functionality they are
> handling but only if I would like to reach them for config changes etc.
>
> As I *can* connect by SSH through the tunnel back to the device that is
> connected to my home LAN then I could also reach the remote LAN via that
> device.
>
> So for command line access to the other items that would be fine.
> However, some of them do not have a command line entry point (no SSH) but
> only a
> GUI http config interface and that cannot be used via SSH to the vpn
> client.
>
> So can it instead be configured such that I can use my config GUI app at
> home
> chanelled via the client VPN connection back onto the remote LAN to reach
> these
> GUI style devices?
>
> If so how?
>
>
> --
> Bo Berglund
> Developer in Sweden
>
>
>
> _______________________________________________
> Openvpn-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>

[Openvpn-users] Using a VPN client connection to reach the remote dir from the VPN server's LAN?

[Bo B. <bo....@gm...>]

This is kind of a super-strange usage question for OpenVPN but I would like to
know if it is possible and if so how do I configure it:
-------------------------------------------------------

I have a couple of devices (mostly Raspberry Pi units) deployed on a few
locations outside my home LAN and these connect back home using OpenVPN clients
on them.

While they are connected I can SSH into their command line interface for
maintenance and checking using their tunnel IP addresses. That is very
convenient.

But...
Now I wonder if these clients can be set up such that when they are connected to
my main network through their OpenVPN clients they also act as a gateway back
into the LAN they are sitting on?

That would open up a simpler way to manage the *other* devices on the same
remote LAN than configuring each of them to connect back home using an
individual OpenVPN connection that is already connected.

They really do not need to connect back home for the functionality they are
handling but only if I would like to reach them for config changes etc.

As I *can* connect by SSH through the tunnel back to the device that is
connected to my home LAN then I could also reach the remote LAN via that device.

So for command line access to the other items that would be fine.
However, some of them do not have a command line entry point (no SSH) but only a
GUI http config interface and that cannot be used via SSH to the vpn client.

So can it instead be configured such that I can use my config GUI app at home
chanelled via the client VPN connection back onto the remote LAN to reach these
GUI style devices?

If so how?


-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] How to use easyrsa 3.2.2 on new server - questions

[Bo B. <bo....@gm...>]

On Tue, 1 Apr 2025 15:21:26 +0200, David Sommerseth via Openvpn-users
<ope...@li...> wrote:

>By default on most distributions today, you need to manually create the
>/var/log/journal directory to enable persistent logging - or set
>Storage=persistent in /etc/systemd/journald.conf.   Without this, the
>logging happens only in memory and is wiped across boots.
>
>So I strongly recommend you to use the systemd-journal.  It will give
>you access to all the log entries you're looking for incredibly quickly.
> And it's a tool you have available out-of-the-box.

Thanks for your description! It seems like I should perhaps stop using local
logging...

Follow-up questions:

1) If I do create the /var/log/journal dir on the server do I also remove the
log directive in the server.conf file altogether and restart the service?
And now the log will be handled exclusively by jornalctl?

2) Does no other services use journalctl and thus create the /var/log/journal
dir? If they do then (since they should have created the dir already) is the
sigle action needed to just remove the log directive from server.conf?
(and restart the openvpn service)?

3) On my openvpn server at home I have the same openvpn setup for the logging as
on the smaller remote servers and here I have just checked that there is a
/var/log/journal dir and it contains a single subdir named
60ef45f7ddcb44b69eb486e25a9b4894
So I have this and I don't know if that is a general logging dir or the one
openvpn server has created for journalctl...
What is it, how to find out?

4) On my main home server I have written a utility that lets me check which
clients are currently connected and this utility looks like this:

#!/bin/bash
#List active OpenVPN clients

CMDW="sudo cat /etc/openvpn/log/openvpn-status.log | grep CLIENT_LIST | sed -n
'1!p'"
CMDL="sudo cat /etc/openvpn/log/ovpn-status_local.log | grep CLIENT_LIST | sed
-n '1!p'"

echo -e "------------------------\nWeb access clients:"
eval "$CMDW"
echo -e "\nLocal access clients:"
eval "$CMDL"
echo "------------------------"

What is does is to list the currently connected clients such that I can choose a
service restart time when there are no active clients for instance.

But it uses the two status log files specified in the two server instances conf
files (I have one instance for using the VPN as a gateway into the Swedish
Internet and another to use only for local access to my home LAN).
Will this be affected if I remove the log directive?

TIA


-- 
Bo Berglund
Developer in Sweden

[Openvpn-users] OpenVPN 2.6.14 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.14.

This is a bugfix release containing one security fix.

Security fixes:

* CVE-2025-2704: fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2 Security scope: OpenVPN servers
  between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made to abort with an ASSERT() message by sending a particular
  combination of authenticated and malformed packets. To trigger the bug, a valid tls-crypt-v2 client key is needed, or network
  observation of a handshake with a valid tls-crypt-v2 client key. No crypto integrity is violated, no data is leaked, and no remote
  code execution is possible. This bug does not affect OpenVPN clients. (Bug found by internal QA at OpenVPN Inc)

Bug fixes:

* Linux DCO: repair source IP selection for --multihome (Qingfang Deng)

Windows MSI changes since 2.6.13:

* Built against OpenSSL 3.4.1
* Included openvpn-gui updated to 11.52.0.0

    * Use correct %TEMP% directory for debug log file.
    * Disable config in menu listing if its ovpn file becomes inaccessible (github openvpn-gui#729)

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Kind regards,
Yuriy Darnobyt

Re: [Openvpn-users] How to use easyrsa 3.2.2 on new server - questions

[David S. <daz...@eu...>]

On 31/03/2025 13:06, Bo Berglund wrote:
> 
> Now I have looked around in searches and found that apparently my server and
> serverlocal services are controlled by systemd using this common file for the
> services:
> 
> /usr/lib/systemd/system/openvpn-server@.service
> 
> And on my new system that file contains this:
> 
> ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log
> --status-version 2 --suppress-timestamps --config %i.conf
> 
> Notice the --suppress-timestamps item, which I belive is what removes the
> timestamp output.

Since I was involved back in the days introducing the systemd unit
files, I can't let this pass ;)

First, yes - --supress-timestamps is needed otherwise the default
logging (not using files) will have timestamps doubled up.  One from the
syslog (or journald) when receiving the log event and the second one in
the log event line from the OpenVPN process.

Secondly, I would generally strongly recommend AGAINST using the --log
option when having a syslog service or journald running on the system.
If OpenVPN gets under heavy load and need to do lots of logging, that
will impact the performance - since it will need to also do the file
operations to write log entries to the disk.  By letting OpenVPN using
the syslog API instead - it's the responsibility of the logging service
to handle everything related to storing to data properly disk.

Other advantages using the syslog API is that the syslog/journald
service handles log rotation on its own.  With rsyslog, syslog-ng (and
many others) you can also filter out openvpn log entries into a
dedicated log file, if you want that.

Since you use the systemd service files, you have journald enabled by
default today.  That does a very good job at ensuring the disk isn't
filled up with log data.  OpenVPN with --log can fill up the disks if
nobody pays attention to the disk consumption.  And the journalctl
command is a powerful tool to extract all the details you would want.

Just a very quick example:

    # journalctl --since yesterday \
                 --until today \
                 -u ope...@vp... \
                 -g "Control Channel:"

The --since and --until lines will extract only log events which
happened yesterday.  The -u is the systemd unit file to extract log
files from.  This only works when you don't have --log in the OpenVPN
config.  And the -g is "grep", so it extracts only log lines containing
"Control Channel:".  That also supports regex for more advanced filtering.

You can also add additional filtering on meta data not listed in the
"normal" view.  By adding -o json-pretty, you can get an idea of what
might be availabe.  So for example, if you want to look at the log
entries for a specific PID ... journalctl _PID=12345.  To add more
filters, you use the + sign.

Other options I also commonly use are -f and -b.  With -b you can give
-1 to get log entries happening from the previous boot.  -2 gives you
the boot before that again.  --list-boots will list all available boots
in the journal.

The systemd-journal stores a lot more information about processes than
the normal syslog and can also keep the log data compressed on disk,
providing mechanisms to detect external log mangling, etc ... it is
generally the recommended way.

By default on most distributions today, you need to manually create the
/var/log/journal directory to enable persistent logging - or set
Storage=persistent in /etc/systemd/journald.conf.   Without this, the
logging happens only in memory and is wiped across boots.

So I strongly recommend you to use the systemd-journal.  It will give
you access to all the log entries you're looking for incredibly quickly.
 And it's a tool you have available out-of-the-box.


-- 
kind regards,

David Sommerseth
OpenVPN Inc

Re: [Openvpn-users] How to use easyrsa 3.2.2 on new server - questions

[Bo B. <bo....@gm...>]

On Mon, 31 Mar 2025 13:06:46 +0200, Bo Berglund <bo....@gm...> wrote:

>But I have one remaining issue, missing timestamps:
>---------------------------------------------------
>
>The OpenVPN server's logfile and status logfile are *missing timestamps*, which
>makes them difficult to use for troubleshooting.
>
>How can I make each line in the logs start with a timestamp that can be used for
>sorting/searching, like so:
>
>2025-03-31 10:22:19  Some log info
>
>(Notice that the most significant item is at the start and the least in the end
>contrary to the useless USA way of printing complete date-times...)
>
>I tried by adding this to the server.conf file:
>
>suppress-timestamps no
>
>which was suggested to me online...
>
>But that caused the server to not start at all!
>
>In the log:
>
>$ sudo cat server.log
>Options error: Unrecognized option or missing or extra parameter(s) in
>server.conf:42: suppress-timestamps (2.6.3)
>Use --help for more information.
>
>
>And no more logging since the server apparently choked on this.
>
>Took a while to find this out.
>And using the openvpn --help did not help much either.
>
>
>Now I have looked around in searches and found that apparently my server and
>serverlocal services are controlled by systemd using this common file for the
>services:
>
>/usr/lib/systemd/system/openvpn-server@.service
>
>And on my new system that file contains this:
>
>ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log
>--status-version 2 --suppress-timestamps --config %i.conf
>
>Notice the --suppress-timestamps item, which I belive is what removes the
>timestamp output.
>
>Question:
>---------
>Is it safe to edit that file and remove --suppress-timestamp (and I assume
>restart the openvpn instances)?
>
>Or can this cause havoc in my system?
>
>And how is the timestamp format defined?

I finally found online what the least intrusive solution is, so it can be
selectively applied to one of several servers running on the same machine.
It creates an override for the standard ExecStart commend for selected service
instances:

1) Locate the /usr/lib/systemd/system/openvpn-server@.service template file

2) Open it and copy out the line ExecStart= (it contains the
--suppress-timestamps item)
in my case it looks like this:
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log
--status-version 2 --suppress-timestamps --config %i.conf

3) Create an override dir:
sudo mkdir -p /etc/systemd/system/ope...@xx....d
where xxxx is the name of the conf file, in my case "server".

3) Create an "override" file:
sudo nano /etc/systemd/system/ope...@xx....d/override.conf
where again xxxx is replaced by the name of the conf file

4) Paste this into the file (the active line content from step 2 above minus the
suppress-timestamps argument. It will look like this:

[Service]
ExecStart=
ExecStart=/usr/sbin/openvpn --status /run/openvpn-server/status-server.log
--status-version 2 --config /etc/openvpn/server/server.conf

Now when the service is restarted the ExecStart item is first reset to blank and
then filled with the original but minus the --suppress-timestamps argument.

I have not yet had time to actually test/verify this but I am writing it down to
check later (so I don't forget the method).

Hopefully this can be the solution that is OK to use.

-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] How to use easyrsa 3.2.2 on new server - questions

[Bo B. <bo....@gm...>]

On Sat, 29 Mar 2025 15:37:38 +0000, tincantech via Openvpn-users
<ope...@li...> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
>On Sat, 29 Mar 2025 10:41:38 +0100, Bo Berglund <bo....@gm...> wrote:
>
>> >But I am struggling to understand the concepts still.
>
>Some help:
>https://github.com/OpenVPN/easy-rsa/blob/master/doc/Intro-To-PKI.md
>
>
>
>> >I tried the section I feel is most similar to my use:
>> >
>> >PKI procedure: Producing your complete PKI on the CA machine
>> >
>> >Now I have done this after creating the vars file from the example with extended
>> >lifetimes set:
>> >
>> >1) ./easyrsa init-pki  (This creates and populates the pki dir)
>> >2) ./easyrsa --nopass build-ca
>> >3) ./easyrsa gen-tls-crypt-key
>> >4) ./easyrsa  --nopass build-server-full HakanNew
>> >5) ./easyrsa build-client-full BosseWien (client for myself)
>> >6) ./easyrsa build-client-full HakanWien (client for my brother-in-law)
>
>That all looks good.

I hoped so...

>> Follow-up
>> ---------
>> I tested it by editing my existing server.conf file and commenting out all of
>> these lines referencing cert files etc:
>> 
>> #Keys, Certificates, directories etc:
>> ca /etc/openvpn/server/serverkeys/ca.crt
>> cert /etc/openvpn/server/serverkeys/HAKANVPN.crt
>> key /etc/openvpn/server/serverkeys/HAKANVPN.key
>> dh /etc/openvpn/server/serverkeys/dh2048.pem
>> tls-auth /etc/openvpn/server/serverkeys/ta.key 0
>> 
>> Instead I copied in the full content of the server's inline file at the end of
>> the server.conf file.
>> 
>> But that only resulted in a total non-starter when trying to start the service
>> so I have probably missed something important...
>
>What error message is given ?


I decided against using inlines, instead went the old way of creating a "keys"
subdir below /etc/openvpn into where I copied the involved files and entered
them with full paths into the server.conf file like before.
And it did work fine.


Now the new RPi4 based replacement VPN server has been transported to Vienna and
after some trouble using my Windows OpenVPN-GUI application (which caches the
OVPN file content so it has to be exited and started fresh in order to recognize
changed file content) I was able to make it work and I can now connect using
both an older RPi2 based server and this new RPi4 based device.

I have used easyrsa 3.2.2 to build the files and I have extended the lifetime a
bit too. Should work for a while.

But I have one remaining issue, missing timestamps:
---------------------------------------------------

The OpenVPN server's logfile and status logfile are *missing timestamps*, which
makes them difficult to use for troubleshooting.

How can I make each line in the logs start with a timestamp that can be used for
sorting/searching, like so:

2025-03-31 10:22:19  Some log info

(Notice that the most significant item is at the start and the least in the end
contrary to the useless USA way of printing complete date-times...)

I tried by adding this to the server.conf file:

suppress-timestamps no

which was suggested to me online...

But that caused the server to not start at all!

In the log:

$ sudo cat server.log
Options error: Unrecognized option or missing or extra parameter(s) in
server.conf:42: suppress-timestamps (2.6.3)
Use --help for more information.


And no more logging since the server apparently choked on this.

Took a while to find this out.
And using the openvpn --help did not help much either.


Now I have looked around in searches and found that apparently my server and
serverlocal services are controlled by systemd using this common file for the
services:

/usr/lib/systemd/system/openvpn-server@.service

And on my new system that file contains this:

ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log
--status-version 2 --suppress-timestamps --config %i.conf

Notice the --suppress-timestamps item, which I belive is what removes the
timestamp output.

Question:
---------
Is it safe to edit that file and remove --suppress-timestamp (and I assume
restart the openvpn instances)?

Or can this cause havoc in my system?

And how is the timestamp format defined?


-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting

[tincantech <tin...@pr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

First, thank you David, for your help.

Also, see below for how Easy-RSA can help, however you choose to
deploy your VPN.


For OpenVPN peer-fingerprint mode:

Please note, Easy-RSA 3.2.2 also has commands:
`self-sign-server` and `self-sign-client`

These will build a server or client cert/key pair that is not signed
by a CA key and can be used in OpenVPN peer-fingerprint mode.

Easy-RSA also writes the certificate fingerprint to the inline file.


For OpenVPN normal CA mode:

And finally, Easy-RSA (On Linux) writes the decimal value of the
certificate serial number to the inline file.  That decimal can be
used for the OpenVPN option --crl-verify, when using the 'dir' flag.

The OpenVPN manual says:
If the optional dir flag is specified, enable a different mode where
the crl-verify is pointed at a directory containing files named as
revoked serial numbers (the files may be empty, the contents are never read).
If a client requests a connection, where the client certificate serial number
(decimal string) is the name of a file present in the directory, it will be
rejected.


Regards

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsC5BAEBCgBtBYJn6KW0CZBPl5z2a5C4nUUUAAAAAAAcACBzYWx0QG5vdGF0
aW9ucy5vcGVucGdwanMub3JnO2OFWmq/UXA95Ff0LBgQaewIqrR41Rrbxkjn
rwYXCegWIQQJvD1EZ6ONcnnFVVVPl5z2a5C4nQAAGqgIAMPDsAnSYpqyiZpQ
9V+KFb6GttpyL8EMxm+JncePmvV7Epn9gYWnK5lv9RDbWlYMgHe20NysZHee
rG7TQTPqq7iY2yv/6Hf0GG5P5DLSN3eSTg5ryG+aD0x9d8YdVAKtlj8dxBgV
efZflcbPOmPrxHkPrrftiTs84T8RruqkNiaE95vlw9Usp/pr7AfZ7Emq9fjp
QRHdHOnZgunJyswfdFll7jCpvaAY7TYimX1vBW/hDmYktvGBfS+eayIjkk1H
AAxz2z/WJMVpf6gzxDO9Cys3HXgpuAQ2mM6DRYikQo36Mw3F1gwpnK5YWu/A
ZUuuNGt4maanRRivwNzQ2BHVYzk=
=ILyL
-----END PGP SIGNATURE-----

Re: [Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting

[David S. <daz...@eu...>]

On 29/03/2025 14:16, Bo Berglund wrote:
[...snip...]
> It seems like that solution is based on the clients being "registered" on the
> server with a fingerprint created client side, but how can you do such things on
> a mobile phone?
> So a Linux client would work but not a phone..

Kinda ... The client config still need a client certificate and a key.
That information will not be created on the mobil device - and that is
exactly the same as with the CA/easy-rsa approach.  You prepare a config
file containing everything, and that file is imported on the mobile device.

What is different is that you run an 'openssl x509' command to retrieve
the SHA-256 fingerprint of the client and server certificates.  The
client certificate fingerprint is put into the <peer-fingerprint> "blob"
in the server config.  And in the client config, the server certificate
fingerprint is given to the peer-fingerprint option.  IIRC, on *older*
OpenVPN versions on the client side (not supporting peer-fingerprint),
the server certificate can be used in the <ca> "blob" in the client config.

> We need the phone to also be able to connect to the server and be geolocated
> there.
> And that has worked for many years using the ovpn file (same file for the client
> irrespective of device used).

That should not be any different.  What peer-fingerprint does is
basically removing the need for client and server certificates to be
signed by a CA.  So the CA certificate is no longer needed when using
peer-fingerprint.  Client and server certificates are self-signed when
using peer-fingerprint.


-- 
kind regards,

David Sommerseth
OpenVPN Inc

Re: [Openvpn-users] How to use easyrsa 3.2.2 on new server - questions

[tincantech <tin...@pr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Sat, 29 Mar 2025 10:41:38 +0100, Bo Berglund <bo....@gm...> wrote:

> >But I am struggling to understand the concepts still.

Some help:
https://github.com/OpenVPN/easy-rsa/blob/master/doc/Intro-To-PKI.md



> >I tried the section I feel is most similar to my use:
> >
> >PKI procedure: Producing your complete PKI on the CA machine
> >
> >Now I have done this after creating the vars file from the example with extended
> >lifetimes set:
> >
> >1) ./easyrsa init-pki  (This creates and populates the pki dir)
> >2) ./easyrsa --nopass build-ca
> >3) ./easyrsa gen-tls-crypt-key
> >4) ./easyrsa  --nopass build-server-full HakanNew
> >5) ./easyrsa build-client-full BosseWien (client for myself)
> >6) ./easyrsa build-client-full HakanWien (client for my brother-in-law)

That all looks good.



> Follow-up
> ---------
> I tested it by editing my existing server.conf file and commenting out all of
> these lines referencing cert files etc:
> 
> #Keys, Certificates, directories etc:
> ca /etc/openvpn/server/serverkeys/ca.crt
> cert /etc/openvpn/server/serverkeys/HAKANVPN.crt
> key /etc/openvpn/server/serverkeys/HAKANVPN.key
> dh /etc/openvpn/server/serverkeys/dh2048.pem
> tls-auth /etc/openvpn/server/serverkeys/ta.key 0
> 
> Instead I copied in the full content of the server's inline file at the end of
> the server.conf file.
> 
> But that only resulted in a total non-starter when trying to start the service
> so I have probably missed something important...

What error message is given ?



> >ALSO:
> >-----
> >A bit down in the document above I found a link to another github script
> >Easy-TLS, which seems to be needed to do something TLS related ("add the
> >finishing touches to your PKI").

You do not need Easy-TLS.

Easy-TLS is only of any value if you want to use TLS-Crypt-v2 TLS keys.



I also recommend that you consider using OpenVPN peer-fingerprint mode.
One advantage is that expired certificates continue to work, until you
decide to remove their fingerprint from the server.

Or, you could instead try using https://github.com/pivpn/pivpn
pivpn would probably be ideal for you.

R
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsC5BAEBCgBtBYJn6BOwCZBPl5z2a5C4nUUUAAAAAAAcACBzYWx0QG5vdGF0
aW9ucy5vcGVucGdwanMub3JnQ+lw2lD0+UmqygCzs+1vkDPNyWd7qXo3fMzy
UwmjZyoWIQQJvD1EZ6ONcnnFVVVPl5z2a5C4nQAA2TMIAIfGrKzBKxWTszUy
0XRz2e07e2aZ7Iwl62nQK+LkHDCkVx7rqwMtUkjkjX57rGGmRh2PalBJHq1b
eokXN3AJQYkmwosnaqbe+OPShDi66wJ3wuazBRBb71HxH1v3hVFK2CbWJa2I
FVmcl12/UKrj0b9uP0VqmDxFlDDoKHL2xB8sZmQV+wVrqt5bU+i1O35rypXK
EqR2lxdTeXexxf9dfRUjAlaY3VNwQNswINeQCyeoWw91gFZRlEDnBrVDTFvM
nUjAmf1ykfeCP3Fd+dy36KOPCrcI0CTHf+tAAQf9agEOAz04lT0YytErb0vh
DAlusYoA+Knzq4Yoyg2Nail/AQc=
=6wdi
-----END PGP SIGNATURE-----

Re: [Openvpn-users] How to use easyrsa 3.2.2 on new server - questions

[Bo B. <bo....@gm...>]

On Sat, 29 Mar 2025 10:41:38 +0100, Bo Berglund <bo....@gm...> wrote:

>I am trying to understand how to use easyrsa 3.2.2 downloaded from github on a
>freshly built RPi4B running PiOS Lite in order to create an OpenVPN server for
>private use as described in a parallel thread.
>
>Now I have read the description document here:
>https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
>
>and tried to use it to set up a very simple system with two clients (myself and
>my brother in law).
>But I am struggling to understand the concepts still.
>
>I tried the section I feel is most similar to my use:
>
>PKI procedure: Producing your complete PKI on the CA machine
>
>Now I have done this after creating the vars file from the example with extended
>lifetimes set:
>
>1) ./easyrsa init-pki  (This creates and populates the pki dir)
>2) ./easyrsa --nopass build-ca
>3) ./easyrsa gen-tls-crypt-key
>4) ./easyrsa  --nopass build-server-full HakanNew
>5) ./easyrsa build-client-full BosseWien (client for myself)
>6) ./easyrsa build-client-full HakanWien (client for my brother-in-law)
>
>Now what?
>In the old times I had to copy some crypto files to the /etc/openvpn/keys dir to
>be used by the server (files listed in the server.conf file).
>
>The build-client-full command seems to generate an inline file for each client
>as well as for the server itself.
>What do I do with these?
>
>Do I put the server's inline file *content* into the server.conf file itself and
>skip listing the file locations?
>I.e. no longer a "keys" dir inside /etc/openvpn?
>
>I.e. is the idea here that the server.conf file shall be self-contained, not
>needing any cert/key files found by a file path?

Follow-up
---------
I tested it by editing my existing server.conf file and commenting out all of
these lines referencing cert files etc:

#Keys, Certificates, directories etc:
ca       /etc/openvpn/server/serverkeys/ca.crt
cert     /etc/openvpn/server/serverkeys/HAKANVPN.crt
key      /etc/openvpn/server/serverkeys/HAKANVPN.key
dh       /etc/openvpn/server/serverkeys/dh2048.pem
tls-auth /etc/openvpn/server/serverkeys/ta.key 0

Instead I copied in the full content of the server's inline file at the end of
the server.conf  file.

But that only resulted in a total non-starter when trying to start the service
so I have probably missed something important...


>And the same for the OVPN client connection files?
>
>Do I for instance add my client config items to the top of the inline file and
>rename it as an ovpn file?
>
>Or what is the next step for me to get a server running properly and something
>to put into the ovpn files? 
>
>ALSO:
>-----
>A bit down in the document above I found a link to another github script
>Easy-TLS, which seems to be needed to do something TLS related ("add the
>finishing touches to your PKI").
>
>But here I am lost, what is it needed for and how do I use it in my simple case?
>The inline files created above do contain a <tls-crypt> section already....
>
>Grateful for a bit of clarification.


-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting

[Bo B. <bo....@gm...>]

On Sat, 29 Mar 2025 12:56:01 +0100, Stefanie Leisestreichler
<ste...@pe...> wrote:

>Hi Bo.
>I would like to recommend another setup for your installation, without 
>all the implications coming with an own pki...
>This is save and can be handled very simple:
>https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst

It seems like that solution is based on the clients being "registered" on the
server with a fingerprint created client side, but how can you do such things on
a mobile phone?
So a Linux client would work but not a phone..
We need the phone to also be able to connect to the server and be geolocated
there.
And that has worked for many years using the ovpn file (same file for the client
irrespective of device used).


-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting

[Stefanie L. <ste...@pe...>]

On 3/29/25 08:07, Bo Berglund wrote:
> On Sat, 29 Mar 2025 00:30:13 +0100, Bo Berglund <bo....@gm...> wrote:
> 
>> On Fri, 28 Mar 2025 18:09:16 -0400, "Dan Langille" <da...@la...> wrote:
>>
>>> On my phone: I suspect you’re using a newer openvpn version.
>>> It is complaining about your CA. I think it wants a CA created with a newer algorithm.
>>> Wait for confirmation by others.
>>
>> Is this because openvpn itself is newer than the one on RPi2?
>> rpi4 version: OpenVPN 2.6.3
>> rpi2 version: OpenVPN 2.4.7
>>
>> I tried to use the old cert/key etc files on the new server...
>> (To make it accept connections using the old ovpn files.)
>>
>> If I create a new CA then will not the complete infrastructure need to be
>> rebuilt including the ovpn connection files?
>>
>> I was hoping that the same files could be used for either server just by
>> changing the connection port on the server.
>>
>> But in this case it seems like the server does not even start properly so the
>> connection too does not proceed. And maybe it is the phone that barfs at the
>> cert in the openvpn file and does not proceed towards the server? So the error
>> is not from the server?
>>
>> What would be the proper way to deal with this, in the end I figured there could
>> be two connection points served by the two RPi devices and using the same ovepn
>> files except for the connection port.
>>
>> It was such a long time since I started from scratch now, I even created a
>> script back then to help in creating new client files but that does only work on
>> the old kind of files.
> 
> I decided to build a new server from scratch using easyrsa 3.2.2.
> And I can't get it using apt because the most recent version there is 3.1.0-1,
> which is way too old...
> 
> So I downloaded easyrsa 3.2.2 from github to my $HOME/openvpn dir, but I got
> stuck following these actions:
> 
> - Copy the vars.example file to vars
> 
> - Edit the vars file to extend the life of the certs:
> set_var EASYRSA_CA_EXPIRE       5475  #15 years
> set_var EASYRSA_CERT_EXPIRE     5110  #14 years
> 
> - Then started the process:
> - $ ./easyrsa init-pki
> - $ ./easyrsa --nopass build-ca  (is this correct? no password?)
> - $ ./easyrsa gen-tls-crypt-key
> - next step is what?
> 
>>From now on I am getting confused as to the password usage, I want to in the end
> generate user logins in an ovpn file where the user needs to enter a password on
> connect. This password can be cached by the openvpn client used as is the case
> on a Windows or Linux PC, but it needs to be there to safeguard against use by
> an unknown person.
> It seems like there is a --nopass argument to *all* the commands and I don't
> know when it is appropriate to use that.
> 
> Is there a webpage anywhere "easyrsa 3.2.2 for dummies" where one can get a
> complete sequence of commands to wind up with a usable OpenVPN server and user
> ovpn files with password protection (for the ovpn files)?
> 
> I have looked around but what I found seems to be for older easy-rsa versions...
> 
> 
> I have read the "official" page:
>   https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
> 
> But it uses terminology that I don't understand about "systems", I just want to
> create an OpenVPN server that allows 1-2 users to connect from outside to the
> home server and from there access the local LAN as well as the Internet but as
> if actually being at home. I.e. in this case to be able to use the Internet as
> if located in Vienna.
> 
> There is no "organization" or such involved here...
> And what is meant by "system" in the descriptions? Sounds like they use several
> computers...
> 
> 

Hi Bo.
I would like to recommend another setup for your installation, without 
all the implications coming with an own pki...
This is save and can be handled very simple:
https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst

Maybe you give it a try.

[Openvpn-users] How to use easyrsa 3.2.2 on new server - questions

[Bo B. <bo....@gm...>]

I am trying to understand how to use easyrsa 3.2.2 downloaded from github on a
freshly built RPi4B running PiOS Lite in order to create an OpenVPN server for
private use as described in a parallel thread.

Now I have read the description document here:
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

and tried to use it to set up a very simple system with two clients (myself and
my brother in law).
But I am struggling to understand the concepts still.

I tried the section I feel is most similar to my use:

PKI procedure: Producing your complete PKI on the CA machine

Now I have done this after creating the vars file from the example with extended
lifetimes set:

1) ./easyrsa init-pki  (This creates and populates the pki dir)
2) ./easyrsa --nopass build-ca
3) ./easyrsa gen-tls-crypt-key
4) ./easyrsa  --nopass build-server-full HakanNew
5) ./easyrsa build-client-full BosseWien (client for myself)
6) ./easyrsa build-client-full HakanWien (client for my brother-in-law)

Now what?
In the old times I had to copy some crypto files to the /etc/openvpn/keys dir to
be used by the server (files listed in the server.conf file).

The build-client-full command seems to generate an inline file for each client
as well as for the server itself.
What do I do with these?

Do I put the server's inline file *content* into the server.conf file itself and
skip listing the file locations?
I.e. no longer a "keys" dir inside /etc/openvpn?

I.e. is the idea here that the server.conf file shall be self-contained, not
needing any cert/key files found by a file path?

And the same for the OVPN client connection files?

Do I for instance add my client config items to the top of the inline file and
rename it as an ovpn file?

Or what is the next step for me to get a server running properly and something
to put into the ovpn files? 

ALSO:
-----
A bit down in the document above I found a link to another github script
Easy-TLS, which seems to be needed to do something TLS related ("add the
finishing touches to your PKI").

But here I am lost, what is it needed for and how do I use it in my simple case?
The inline files created above do contain a <tls-crypt> section already....

Grateful for a bit of clarification.

-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting

[Bo B. <bo....@gm...>]

On Sat, 29 Mar 2025 00:30:13 +0100, Bo Berglund <bo....@gm...> wrote:

>On Fri, 28 Mar 2025 18:09:16 -0400, "Dan Langille" <da...@la...> wrote:
>
>> On my phone: I suspect you’re using a newer openvpn version. 
>> It is complaining about your CA. I think it wants a CA created with a newer algorithm. 
>> Wait for confirmation by others. 
>
>Is this because openvpn itself is newer than the one on RPi2?
>rpi4 version: OpenVPN 2.6.3
>rpi2 version: OpenVPN 2.4.7
>
>I tried to use the old cert/key etc files on the new server...
>(To make it accept connections using the old ovpn files.)
>
>If I create a new CA then will not the complete infrastructure need to be
>rebuilt including the ovpn connection files?
>
>I was hoping that the same files could be used for either server just by
>changing the connection port on the server.
>
>But in this case it seems like the server does not even start properly so the
>connection too does not proceed. And maybe it is the phone that barfs at the
>cert in the openvpn file and does not proceed towards the server? So the error
>is not from the server?
>
>What would be the proper way to deal with this, in the end I figured there could
>be two connection points served by the two RPi devices and using the same ovepn
>files except for the connection port.
>
>It was such a long time since I started from scratch now, I even created a
>script back then to help in creating new client files but that does only work on
>the old kind of files.

I decided to build a new server from scratch using easyrsa 3.2.2.
And I can't get it using apt because the most recent version there is 3.1.0-1,
which is way too old...

So I downloaded easyrsa 3.2.2 from github to my $HOME/openvpn dir, but I got
stuck following these actions:

- Copy the vars.example file to vars

- Edit the vars file to extend the life of the certs:
set_var EASYRSA_CA_EXPIRE       5475  #15 years
set_var EASYRSA_CERT_EXPIRE     5110  #14 years

- Then started the process:
- $ ./easyrsa init-pki
- $ ./easyrsa --nopass build-ca  (is this correct? no password?)
- $ ./easyrsa gen-tls-crypt-key
- next step is what?

>From now on I am getting confused as to the password usage, I want to in the end
generate user logins in an ovpn file where the user needs to enter a password on
connect. This password can be cached by the openvpn client used as is the case
on a Windows or Linux PC, but it needs to be there to safeguard against use by
an unknown person.
It seems like there is a --nopass argument to *all* the commands and I don't
know when it is appropriate to use that.

Is there a webpage anywhere "easyrsa 3.2.2 for dummies" where one can get a
complete sequence of commands to wind up with a usable OpenVPN server and user
ovpn files with password protection (for the ovpn files)?

I have looked around but what I found seems to be for older easy-rsa versions...


I have read the "official" page:
 https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

But it uses terminology that I don't understand about "systems", I just want to
create an OpenVPN server that allows 1-2 users to connect from outside to the
home server and from there access the local LAN as well as the Internet but as
if actually being at home. I.e. in this case to be able to use the Internet as
if located in Vienna.

There is no "organization" or such involved here...
And what is meant by "system" in the descriptions? Sounds like they use several
computers...


-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting

[Bo B. <bo....@gm...>]

On Fri, 28 Mar 2025 18:09:16 -0400, "Dan Langille" <da...@la...> wrote:

> On my phone: I suspect you’re using a newer openvpn version. 
> It is complaining about your CA. I think it wants a CA created with a newer algorithm. 
> Wait for confirmation by others. 

Is this because openvpn itself is newer than the one on RPi2?
rpi4 version: OpenVPN 2.6.3
rpi2 version: OpenVPN 2.4.7

I tried to use the old cert/key etc files on the new server...
(To make it accept connections using the old ovpn files.)

If I create a new CA then will not the complete infrastructure need to be
rebuilt including the ovpn connection files?

I was hoping that the same files could be used for either server just by
changing the connection port on the server.

But in this case it seems like the server does not even start properly so the
connection too does not proceed. And maybe it is the phone that barfs at the
cert in the openvpn file and does not proceed towards the server? So the error
is not from the server?

What would be the proper way to deal with this, in the end I figured there could
be two connection points served by the two RPi devices and using the same ovepn
files except for the connection port.

It was such a long time since I started from scratch now, I even created a
script back then to help in creating new client files but that does only work on
the old kind of files.


-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting

[Dan L. <da...@la...>]

On my phone: I suspect you’re using a newer openvpn version. It is complaining about your CA. I think it wants a CA created with a newer algorithm. 

Wait for confirmation by others. 

On Fri, Mar 28, 2025, at 5:50 PM, Bo Berglund wrote:
> Hi,
> I have a problem on a new server trying to use an old server's config...
>
> Back in 2019 I created an RPi2 based OVPN server for use by my brother-in-law to
> connect back to his home in Vienna while traveling abroad.
> It has worked fine for a long time but recently the RPi2 has acted up and the
> service stopped occationally until someone (his son) could go over and restart
> the RPi2 device. This happened repeatedly.
>
> So to improve this I have started up a new RPi4B with the most recent PiOS Lite
> (server style - no gui components).
> On this I have installed openvpn via apt and I have copied over the "crypto"
> files to directory /etc/openvpn/server/serverkeys.
> I did so by (as sudo) creating a tar.gz file containing /etc/openvpn on the old
> RPi2.
>
> Then I have configured a server.conf file based on the old file on the RPi2 but
> with some enhancements from recent times by looking at a conf file on my new
> OVPN server here at home, which works just fine.
>
> For a test I have started the service with the RPi4 on my home LAN so I have
> edited the conf file to reflect my own LAN configuration network wise.
>
> Then I have copied my ovpn file for the old server in Vienna and edited it so it
> points to my own server and uses the correct port etc to be used for testing
> here.
>
> Now when I try to connect from my phone using this ovpn file modified to point
> to my own url it stops with an error message:
>
> ---------------------------------------------------------------
> There was an error attempting to connect to
> the selected server.
>
> Error message:
> "You are using an insecure hash algorithm for the CA signature.
> Regenerate the CA certificate with a secure hash algorithm."
> ----------------------------------------------------------------
>
> I do not know *where* the problem is located in this case.
> Nor what exactly I have to do.
> Which signature is a problem? Something on the server or inside the
> ovpn file I use to connect?
>
> I used a copy of the ovpn file working towards the RPi2 device (which fully
> works right now), where I just changed the port number to match what I have
> forwarded on my router and switched the connection URL to my home system.
>
>
>
> Here is my server.conf file:
> ---------------------------
> port 1193
> proto udp
> dev tun
> topology subnet
>
> #Keys, Certificates, directories etc
> ca       /etc/openvpn/server/serverkeys/ca.crt
> cert     /etc/openvpn/server/serverkeys/HAKANVPN.crt
> key      /etc/openvpn/server/serverkeys/HAKANVPN.key
> dh       /etc/openvpn/server/serverkeys/dh2048.pem
> tls-auth /etc/openvpn/server/serverkeys/ta.key 0
> cipher AES-256-CBC
> #Other files/dirs:
> client-config-dir /etc/openvpn/ccd
> status   /etc/openvpn/log/server-status.log 20
> log      /etc/openvpn/log/server.log
> verb 3   #Verbosity of log content
> max-clients 20
> key-direction 0
> persist-key
> persist-tun
>
> #Server's internal network:
> server 10.8.113.0 255.255.255.0 'nopool'
> ifconfig-pool 10.8.113.10 10.8.113.127 255.255.255.0
> ifconfig-pool-persist /etc/openvpn/server/ipp.txt
> push "route 10.8.113.0 255.255.255.0"
> push "route 10.8.113.1 255.255.255.255"
> push "route 192.168.119.0 255.255.255.0"
> push "dhcp-option DNS 192.168.119.1"  # When testing at home
> push "redirect-gateway def1 bypass-dhcp"
> push "dhcp-option DNS 208.67.222.222"
> push "dhcp-option DNS 208.67.220.220"
> comp-lzo no
> push "comp-lzo no"
> duplicate-cn
> keepalive 10 120
> ---------------------------------------------------------------
>
> Here is the content of the ovpn file used on the phone:
> ---------------------------------------------------------------
> client
> dev tun
> proto udp
> myhomedomain 1093
> resolv-retry infinite
> nobind
> persist-key
> persist-tun
> mute-replay-warnings
> auth-nocache
> remote-cert-tls server
> key-direction 1
> cipher AES-256-CBC
> verb 2
> mute 20
> explicit-exit-notify 1
>
> <ca>
> -----BEGIN CERTIFICATE-----
> MIIG4DCCBMigAwIBAgIUbFjR74pEthxrXy5wTGb2jx92Ty0wDQYJKoZIhvcNAQEL
> ....
> wcq/MyVJlLSaD/8QlhwIy38repxvLEZEEodBJO4laZrdmeb9
> -----END CERTIFICATE-----
> </ca>
> <cert>
> -----BEGIN CERTIFICATE-----
> MIIHEzCCBPugAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBnjELMAkGA1UEBhMCQVQx
> ....
> Cmed45LdJCnOG/vunkpXLM1EvtK/WSo4Hynwoi7axIVlC/6fVA72
> -----END CERTIFICATE-----
> </cert>
> <key>
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,E1369C0CE0B22D49
> ....
> XaE3Qw06HkP6bzXhxZWwQT9Tf1QiS1XSmhHCp76I8BPkSEr1hl6Z6C6RqLZKi6wO
> -----END RSA PRIVATE KEY-----
> </key>
> <tls-auth>
> #
> # 2048 bit OpenVPN static key
> #
> -----BEGIN OpenVPN Static key V1-----
> 366cadc0ebfed57a493fdb05cedd25d9
> ....
> 9ea060f01c0fcaba71f39b7d6ac92f98
> -----END OpenVPN Static key V1-----
> </tls-auth>
>
> ---------------------------------------------------------------
>
> This is what is in the log file 
> (there are no timestamps so I don't know *when* it was logged):
> -------------------------------------------------------------------------------
> DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers
> (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher
> negotiations.
> Note: '--allow-compression' is not set to 'no', disabling data channel offload.
> Consider using the '--compress migrate' option.
> OpenVPN 2.6.3 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL]
> [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
> library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10
> DCO version: N/A
> WARNING: using --duplicate-cn and --client-config-dir together is probably not
> what you want
> WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
> net_route_v4_best_gw query: dst 0.0.0.0
> net_route_v4_best_gw result: via 192.168.119.1 dev eth0
> Diffie-Hellman initialized with 2048 bit key
> OpenSSL: error:0A00018E:SSL routines::ca md too weak
> Cannot load certificate file /etc/openvpn/server/serverkeys/HAKANVPN.crt
> Exiting due to fatal error
> -------------------------------------------------------------------------------
> And finally this is what I get with
>
> sudo systemctl status ope...@se...
> -------------------------------------------------------------------------------
>  ope...@se... - OpenVPN service for server
>      Loaded: loaded (/lib/systemd/system/openvpn-server@.service; enabled;
> preset: enabled)
>      Active: activating (auto-restart) (Result: exit-code) since Fri 2025-03-28
> 22:41:14 CET; 2s ago
>        Docs: man:openvpn(8)
>              https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
>              https://community.openvpn.net/openvpn/wiki/HOWTO
>     Process: 20876 ExecStart=/usr/sbin/openvpn --status
> /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps
> --config server.conf (code=exited, status=1/FAILURE)
>    Main PID: 20876 (code=exited, status=1/FAILURE)
>      Status: "Pre-connection initialization successful"
>         CPU: 90ms
> --------------------------------------------------------------------------------
>
> Where should I look for the problem?
> And a solution.....
>
> TIA
>
>
> -- 
> Bo Berglund
> Developer in Sweden
>
>
>
> _______________________________________________
> Openvpn-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

-- 
  Dan Langille
  da...@la...

[Openvpn-users] Created new OVPN server based on old, getting strange error message when connecting

[Bo B. <bo....@gm...>]

Hi,
I have a problem on a new server trying to use an old server's config...

Back in 2019 I created an RPi2 based OVPN server for use by my brother-in-law to
connect back to his home in Vienna while traveling abroad.
It has worked fine for a long time but recently the RPi2 has acted up and the
service stopped occationally until someone (his son) could go over and restart
the RPi2 device. This happened repeatedly.

So to improve this I have started up a new RPi4B with the most recent PiOS Lite
(server style - no gui components).
On this I have installed openvpn via apt and I have copied over the "crypto"
files to directory /etc/openvpn/server/serverkeys.
I did so by (as sudo) creating a tar.gz file containing /etc/openvpn on the old
RPi2.

Then I have configured a server.conf file based on the old file on the RPi2 but
with some enhancements from recent times by looking at a conf file on my new
OVPN server here at home, which works just fine.

For a test I have started the service with the RPi4 on my home LAN so I have
edited the conf file to reflect my own LAN configuration network wise.

Then I have copied my ovpn file for the old server in Vienna and edited it so it
points to my own server and uses the correct port etc to be used for testing
here.

Now when I try to connect from my phone using this ovpn file modified to point
to my own url it stops with an error message:

---------------------------------------------------------------
There was an error attempting to connect to
the selected server.

Error message:
"You are using an insecure hash algorithm for the CA signature.
Regenerate the CA certificate with a secure hash algorithm."
----------------------------------------------------------------

I do not know *where* the problem is located in this case.
Nor what exactly I have to do.
Which signature is a problem? Something on the server or inside the
ovpn file I use to connect?

I used a copy of the ovpn file working towards the RPi2 device (which fully
works right now), where I just changed the port number to match what I have
forwarded on my router and switched the connection URL to my home system.



Here is my server.conf file:
---------------------------
port 1193
proto udp
dev tun
topology subnet

#Keys, Certificates, directories etc
ca       /etc/openvpn/server/serverkeys/ca.crt
cert     /etc/openvpn/server/serverkeys/HAKANVPN.crt
key      /etc/openvpn/server/serverkeys/HAKANVPN.key
dh       /etc/openvpn/server/serverkeys/dh2048.pem
tls-auth /etc/openvpn/server/serverkeys/ta.key 0
cipher AES-256-CBC
#Other files/dirs:
client-config-dir /etc/openvpn/ccd
status   /etc/openvpn/log/server-status.log 20
log      /etc/openvpn/log/server.log
verb 3   #Verbosity of log content
max-clients 20
key-direction 0
persist-key
persist-tun

#Server's internal network:
server 10.8.113.0 255.255.255.0 'nopool'
ifconfig-pool 10.8.113.10 10.8.113.127 255.255.255.0
ifconfig-pool-persist /etc/openvpn/server/ipp.txt
push "route 10.8.113.0 255.255.255.0"
push "route 10.8.113.1 255.255.255.255"
push "route 192.168.119.0 255.255.255.0"
push "dhcp-option DNS 192.168.119.1"  # When testing at home
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
comp-lzo no
push "comp-lzo no"
duplicate-cn
keepalive 10 120
---------------------------------------------------------------

Here is the content of the ovpn file used on the phone:
---------------------------------------------------------------
client
dev tun
proto udp
myhomedomain 1093
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
auth-nocache
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
verb 2
mute 20
explicit-exit-notify 1

<ca>
-----BEGIN CERTIFICATE-----
MIIG4DCCBMigAwIBAgIUbFjR74pEthxrXy5wTGb2jx92Ty0wDQYJKoZIhvcNAQEL
....
wcq/MyVJlLSaD/8QlhwIy38repxvLEZEEodBJO4laZrdmeb9
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIHEzCCBPugAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBnjELMAkGA1UEBhMCQVQx
....
Cmed45LdJCnOG/vunkpXLM1EvtK/WSo4Hynwoi7axIVlC/6fVA72
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E1369C0CE0B22D49
....
XaE3Qw06HkP6bzXhxZWwQT9Tf1QiS1XSmhHCp76I8BPkSEr1hl6Z6C6RqLZKi6wO
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
366cadc0ebfed57a493fdb05cedd25d9
....
9ea060f01c0fcaba71f39b7d6ac92f98
-----END OpenVPN Static key V1-----
</tls-auth>

---------------------------------------------------------------

This is what is in the log file 
(there are no timestamps so I don't know *when* it was logged):
-------------------------------------------------------------------------------
DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers
(AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher
negotiations.
Note: '--allow-compression' is not set to 'no', disabling data channel offload.
Consider using the '--compress migrate' option.
OpenVPN 2.6.3 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL]
[PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10
DCO version: N/A
WARNING: using --duplicate-cn and --client-config-dir together is probably not
what you want
WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: via 192.168.119.1 dev eth0
Diffie-Hellman initialized with 2048 bit key
OpenSSL: error:0A00018E:SSL routines::ca md too weak
Cannot load certificate file /etc/openvpn/server/serverkeys/HAKANVPN.crt
Exiting due to fatal error
-------------------------------------------------------------------------------
And finally this is what I get with

sudo systemctl status ope...@se...
-------------------------------------------------------------------------------
 ope...@se... - OpenVPN service for server
     Loaded: loaded (/lib/systemd/system/openvpn-server@.service; enabled;
preset: enabled)
     Active: activating (auto-restart) (Result: exit-code) since Fri 2025-03-28
22:41:14 CET; 2s ago
       Docs: man:openvpn(8)
             https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
             https://community.openvpn.net/openvpn/wiki/HOWTO
    Process: 20876 ExecStart=/usr/sbin/openvpn --status
/run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps
--config server.conf (code=exited, status=1/FAILURE)
   Main PID: 20876 (code=exited, status=1/FAILURE)
     Status: "Pre-connection initialization successful"
        CPU: 90ms
--------------------------------------------------------------------------------

Where should I look for the problem?
And a solution.....

TIA


-- 
Bo Berglund
Developer in Sweden

Re: [Openvpn-users] Migrating OpenVPN server - easyrsa question...

[David S. <daz...@eu...>]

On 19/03/2025 23:02, David Sommerseth wrote:
> On 19/03/2025 15:23, Bo Berglund wrote:
> [...]
>>
>> On 3rd thought I realized that I have almost 3 years remaining on the life of my
>> certs (expire jan 2028) and I will save time now by just transplanting the OVPN
>> infrastructure over to the new server and changing the port-forward on the
>> router to the new IP address.
> 
> This is more an advice for when you're doing a new VPN setup ...
> 
> Ask yourself if you really need the CA layer at all - if you would skip
> it if you could.  If the answer is "Yes, please!", then you should look
> into the feature which I believe arrived in OpenVPN 2.6
> 
>      --peer-fingerprint
> 
> That just requires clients to have the server-side certificate
> fingerprint listed and the server the fingerprints of all the clients it
> accepts.  And that's it.  Both clients and servers will need the
> key/cert files, but the certs can now be self-signed.
> 
> There will be a lifetime on the client/server certs itself - so you need
> to consider carefully how long you want your client and server
> certificates to be valid.

I forgot to add a link with more details:

<https://github.com/openvpn/openvpn/blob/master/doc/man-sections/example-fingerprint.rst>


-- 
kind regards,

David Sommerseth
OpenVPN Inc

Re: [Openvpn-users] Migrating OpenVPN server - easyrsa question...

[David S. <daz...@eu...>]

On 19/03/2025 15:23, Bo Berglund wrote:
[...]
> 
> On 3rd thought I realized that I have almost 3 years remaining on the life of my
> certs (expire jan 2028) and I will save time now by just transplanting the OVPN
> infrastructure over to the new server and changing the port-forward on the
> router to the new IP address.

This is more an advice for when you're doing a new VPN setup ...

Ask yourself if you really need the CA layer at all - if you would skip
it if you could.  If the answer is "Yes, please!", then you should look
into the feature which I believe arrived in OpenVPN 2.6

     --peer-fingerprint

That just requires clients to have the server-side certificate
fingerprint listed and the server the fingerprints of all the clients it
accepts.  And that's it.  Both clients and servers will need the
key/cert files, but the certs can now be self-signed.

There will be a lifetime on the client/server certs itself - so you need
to consider carefully how long you want your client and server
certificates to be valid.


-- 
kind regards,

David Sommerseth
OpenVPN Inc

Re: [Openvpn-users] Migrating OpenVPN server - easyrsa question...

[Bo B. <bo....@gm...>]

On Mon, 17 Mar 2025 20:32:52 +0100, Bo Berglund <bo....@gm...> wrote:

>So that was the plan before I had actually dived into the new server
>configuration....
>
>Now after having seen the issues when copying the other old stuff into the new
>server I am re-thinking OpenVPN a bit....
>
>Since it is rather old cert-wise it will expire in a couple of years anyway so I
>thought that it might be better to just start over and create a fresh server
>with new certs etc so it will last a lot longer.

On 3rd thought I realized that I have almost 3 years remaining on the life of my
certs (expire jan 2028) and I will save time now by just transplanting the OVPN
infrastructure over to the new server and changing the port-forward on the
router to the new IP address.

I will have to deal with cert renewals later.

So I copied /etc/openvpn and ~/openvpn (where I keep easyrsa3 and pki) over to
the same locations on the new server.
I did the same for the IPTABLES settings where I use iptables-persistent to make
them survive a reboot.

After that and some minor edits was done I created the ovpn services for the 2
openvpn instances and started them.
Finally I modified the two port-forwards on the router to use the new server's
IP address.

All seems to have worked fine AFAICT.

There is one small item/observation, though:

I have set up a LAN<->LAN connection between my home LAN and my summer home LAN
using OpenVPN so I can access the local devices transparently where-ever I am.
The router at the summer home is set up to use one of the OpenVPN channels to
hook it all up.
It was connected when I did the port forward change and I expected it to lose
connection, but it did not.
Even after the switch to the new server the connection is there, I have an SSH
terminal hooked to a Linux box over there and it did not feel a thing when the
redirect was changed in the router.

Question:
Is the VPN connection once initialized independent of the router port forward as
long as the VPN server it is connected to at the time stays running?

It seems to be the case and the port forward setting seems irrelevant for it
during the switch. It stays connected to the old server.
Maybe only used during initialization of the connection?


-- 
Bo Berglund
Developer in Sweden

[Openvpn-users] (no subject)

[Alireza F. <rad...@gm...>]

Re: [Openvpn-users] Migrating OpenVPN server - easyrsa question...

[tincantech <tin...@pr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Bo,

cutting to the chase ..

A brief lesson in the essence of X509.

Using Easy-RSA PKI means that all certificates MUST
be signed using the CA Private Key.

Thus, to sign a "foreign request", that which has come
from an unknown source (eg: client), use these commands:

    `import-req ~/Downloads/bob.req bob`
    `sign-req client bob`

This will sign a request from a foreign source.

----

To create a foreign request on the CA machine, try Easy-RSA
option --pki=testpki with commands `init-pki` and `gen-req`.

----

When all Private keys and Public certificates are built
on the CA signing machine (eg: The designated CA) then
use commands:

    `build-server-full server1`
    `build-client-full client1`

These will create the Private key, which MUST then be
distributed securely. And the Public certificate, which
can be shared openly. Easy-RSA will also create an
inline file for OpenVPN use but be aware of the security
aspect outlined above. Easy-RSA places the inline files
into either the pki/inline or pki/inline/private folders.

Commands `build-x-full` are simply commands `gen-req` and
`sign-req` chained together, for easy use on the designated CA.

----

Perhaps the most significant point to make is:
The Private key of the foreign entity remains private,
if the foreign entity generated the Private key for itself.


Regards



Sent with Proton Mail secure email.

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsC5BAEBCgBtBYJn2aaHCZBPl5z2a5C4nUUUAAAAAAAcACBzYWx0QG5vdGF0
aW9ucy5vcGVucGdwanMub3Jnfn6q7y4sOu1OL2hB8PmhZFlM7MRYVPQS/PG5
JPMA7FwWIQQJvD1EZ6ONcnnFVVVPl5z2a5C4nQAACYsIAMOeJC06rBKz2oUv
Mqw7pPTtOVpKv7i0WPuCYgjyv1CeabnJjsaPSXpAuWJeMV/TDZgJwggbGUbm
xDqS49IC4CPxq8d/wZert0BDoccDBm4+8k8+XfXnTTgF1XoEJHtYSUYsC71l
b3UvM9b1nupm5X2GwHVFQO2NJAQvYNI0DuruK0Xho7s2uPXAgklsarE4zatj
EyKWK90h3ZFGnRG1G23n2p0TCi0fllzeFqb3VdAJgQx23oE5NVW5WLvjz76g
bTCewR8aWzC4A1AmXlpC1fosrREYInPeFS26nDZ2FygR0y/zhNusnKOwGrwj
nvHNApZ4YDR1QOHX916vg5m07T0=
=1r2j
-----END PGP SIGNATURE-----

Re: [Openvpn-users] Migrating OpenVPN server - easyrsa question...

[Bo B. <bo....@gm...>]

On Mon, 17 Feb 2025 16:28:36 +0100, Bo Berglund <bo....@gm...> wrote:

>So I have migrated my old Ubuntu Server 20.04.1 to version 24.04.1 and then to
>new hardware on a new install of Ubuntu version 24.04.1.
>
>The hardware migration was done as a fresh Ubuntu install followed by installing
>the support for all the functions handled by the server (Apache and Subversion
>among others) and migrating the configuration files.
>
>Now I have come to the OpenVPN part and regarding the infrastructure to manage
>the server logins and certs etc I have this question:
>
>On the old server I have migrated over the years through easyrsa versions up to
>3.1.5, which is what is now used there.
>
>Can I just copy over the directory tree in $HOME/openvpn where all the
>management stuff resides and then replace easyrsa with the now latest version
>from Github (3.2.2) without editing my scripts that use easyrsa?

BACK AGAIN...

So that was the plan before I had actually dived into the new server
configuration....

Now after having seen the issues when copying the other old stuff into the new
server I am re-thinking OpenVPN a bit....

Since it is rather old cert-wise it will expire in a couple of years anyway so I
thought that it might be better to just start over and create a fresh server
with new certs etc so it will last a lot longer.

Of course I will have to issue new client ovpn files for the new server but
there are not that many anyway and I have a log of all of them so I can
replicate and send the new files out when I will switch to the new server.
Meanwhile they can run in parallel, I just have to modify port forwards on the
router to get to the correct OVPN server...


So I have looked at my old notes on setting up an OpenVPN system from scratch
using easyrsa2 but updated for easyrsa 3.1.5

And now I am also reading the README.quickstart.md that comes along with 3.2.2

Here I have a few initial questions due to the differences I see:

In my old notes I had these initial steps to create the PKI:

$ ./easyrsa init-pki
$ ./easyrsa --nopass build-ca
$ ./easyrsa --nopass build-server-full server1
$ ./easyrsa --nopass build-client-full client1
$ openvpn --genkey tls-crypt tls-crypt.key

Then I could start creating logins using my script for easyrsa3.


In the new readme I have seen this:

1.  Choose a system to act as your CA and create a new PKI and CA
(I do not understand this..
What system is referenced? I am doing this on my new server...)

./easyrsa init-pki
./easyrsa build-ca

2). On the system that is requesting a certificate, init its own PKI and
generate
   a keypair/request. Note that init-pki is used _only_ when this is done on a
   separate system (or at least a separate PKI dir.) This is the recommended
   procedure. If you are not using this recommended procedure, skip the next
   import-req step.
(Again what does this mean? I am, only dealing with a single server which I try
to set up from scratch.)

./easyrsa init-pki
./easyrsa gen-req EntityName

Should I just disregard the quickstart file in easyrsa 3.2.2?

And use my old method instead...


-- 
Bo Berglund
Developer in Sweden