Have the instructions been tested?
Keep getting errors (certificates invalid,, etc.), server key is not copied to /etc/openvpn, .. please test again, and fix the edits when needed. Because at the moment it's not possible to setup OpenVPN. Francoism (talk) 13:09, 28 August 2016 (UTC)
- Yes, they have been tested. I cannot reproduce either of the comments you wrote in your accuracy flags this following these steps from start to finish creating the ovpn file. Suggest you try again. Graysky (talk) 17:01, 28 August 2016 (UTC)
- Hi Graysky, finally found time to start over, turns out your Francoism (talk) 21:06, 17 October 2016 (UTC) AUR and other generators I tried, don't copy the CA-certificate (yeah, should have check this). Maybe this happens because of permission issues. Is it helpful to add this as a note (e.g. what tags should (not) be empty?) Thanks.
- Don't know for sure to be honest, thought under root. But if this should work fine, it is an issue at my end. The command was executed correctly, didn't receive any error. Is it possible security tools block access (like AppArmor) and just return an empty file instead? Thanks Francoism (talk) 09:00, 18 October 2016 (UTC)
Rewrited page untested and didnt work.
- Reverted the edits, they didn't respect ArchWiki:Contributing#Do_not_make_complex_edits_at_once either. Old revision in case someone wants to take a closer look: diff, revision -- Alad (talk) 10:50, 8 November 2016 (UTC)
- Copy-paste from https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto --Althathwe (talk) 11:21, 8 November 2016 (UTC)
- I am sorry for making a complex edit at once. It did feel intrusive, but I did it nonetheless. It did not adhere to ArchWiki:Contributing#Do_not_make_complex_edits_at_once, so that was a mistake.
- The current state of this article highly complex and hard to understand, in my opinion. It is actually not helping, it's easier to follow upstream docs. It does not explain complex subjects like PKI, CA and CSR.
- Easy-RSA commands should not be executed as root. I find it a terrible idea. You could just as well execute the commands as a non-privileged user and transfer the generated files to
/etc/easy-rsa. I expect the user to make that decision for herself.
- Overall, I would like this article to be simpler and be more The Arch Way. How do we proceed to do that?
- Aude (talk) 12:55, 8 November 2016 (UTC)
- Easy-RSA commands should be executed as root and in /etc/easy-rsa:
[user@v-arch-1 ~]$ easyrsa init-pki WARNING: can't open config file: /home/user/openssl-1.0.cnf Easy-RSA error: The OpenSSL config file cannot be found. Expected location: /home/user/openssl-1.0.cnf [user@v-arch-1 easy-rsa]$ easyrsa init-pki mkdir: cannot create directory ‘/etc/easy-rsa/pki’: Permission denied Easy-RSA error: Failed to create PKI file structure (permissions?)
- This page so complex because it explains how to setup PKI and generate everything for OpenVPN. This is not just instruction how to use Easy-RSA. --Althathwe (talk) 13:36, 8 November 2016 (UTC)
- Easy-rsa does not require root itself but for access to /etc/easy-rsa where easy-rsa installed by default in Arch (and suppossed be used in?). In Fedora easy-rsa installed in /usr/share/easy-rsa/ and supposed be copied somewhere else for work. --Althathwe (talk) 17:11, 8 November 2016 (UTC)
Improving the page.
- Should page contain repeated several times instructions for copying files between machines through scp? Maybe better add detailed example to SCP and SFTP and link to it?
- Page should contain information that ta.key should be shared among all peers.
- Should 'Client certificate and private key' have double example? 'Server certificate and private key' doesn't have.
- Should page use 'easyrsa gen-dh' instead of 'openssl dhparam' as upstream documentation? At this moment 'easyrsa gen-dh' (through openssl) generate dh.pem with prime number length matched to length of rsa key but didn't have output option. --Althathwe (talk) 17:11, 8 November 2016 (UTC)
easyrsa init-pki is used wrong in documentation, isn't it?
Maybe I am wrong: But if I would use init-pki for initializing to create server and client key pairs like it is advised, then I delete my CA in the pki dir. Please take look and confirm or decline:
OpenVPN --secret param
When execute on OpenVPN 2.4.9
# openvpn --genkey secret /etc/openvpn/server/ta.key
it display this error:
Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: genkey (2.4.9) Use --help for more information.
On 6 November 2020 changed "--secret" by "secret" see https://wiki.archlinux.org/index.php?title=Easy-RSA&diff=640810&oldid=636120 if that is correct need add note:
OpenVPN < 2.5 version use --secret
I don't find the version when OpenVPN changed that option and the official site use "--secret". see https://openvpn.net/community-resources/hardening-openvpn-security/#tls-auth