From ArchWiki
Revision as of 11:22, 8 November 2016 by Althathwe (talk | contribs) (Rewrited page untested and didnt work.)
Jump to navigation Jump to search

Have the instructions been tested?

Keep getting errors (certificates invalid,, etc.), server key is not copied to /etc/openvpn, .. please test again, and fix the edits when needed. Because at the moment it's not possible to setup OpenVPN. Francoism (talk) 13:09, 28 August 2016 (UTC)

Yes, they have been tested. I cannot reproduce either of the comments you wrote in your accuracy flags this following these steps from start to finish creating the ovpn file. Suggest you try again. Graysky (talk) 17:01, 28 August 2016 (UTC)
Actually, I missed one step (copying the server.key to /etc/openvpn) but that omission does not explain the errors you posted. Again, I think you should just start over and you'll be fine. Graysky (talk) 17:16, 28 August 2016 (UTC)
Hi Graysky, finally found time to start over, turns out your ovpngenAUR and other generators I tried, don't copy the CA-certificate (yeah, should have check this). Maybe this happens because of permission issues. Is it helpful to add this as a note (e.g. what tags should (not) be empty?) Thanks. Francoism (talk) 21:06, 17 October 2016 (UTC)
Did you invoke it as root or via sudo like the readme instructs? The CA Cert is the 2nd token. Graysky (talk) 21:14, 17 October 2016 (UTC)
Don't know for sure to be honest, thought under root. But if this should work fine, it is an issue at my end. The command was executed correctly, didn't receive any error. Is it possible security tools block access (like AppArmor) and just return an empty file instead? Thanks Francoism (talk) 09:00, 18 October 2016 (UTC)
More likely, the needed files are not world-readable (default is 700 for many of them). Run the script as root and you'll be fine in all likelihood. Graysky (talk) 19:29, 18 October 2016 (UTC)
Try version 1.24 of ovpngenAUR which contains some internal checks for file permissions and physical existence. Graysky (talk) 19:53, 18 October 2016 (UTC)
Thanks for the update, will try and report back to you. :) Francoism (talk) 08:45, 19 October 2016 (UTC)

Why is this so complicated?

I understand the point of security, but a separated CA-machine, is that really necessary for a simple setup? Now the certificates need to be moved to the machine, which require a working SSH-setup, opening ports, potential risks of incorrect SSH-config, etc. Would it not be better to just take this as a note/tip and use the same machine that runs the OpenVPN server? Francoism (talk) 10:20, 25 August 2016 (UTC)

I don't think it's complicated and having a separate machine as the CA is a good security practice as well as recommended by upstream. See the linked readme. Graysky (talk) 19:13, 25 August 2016 (UTC)
I should add that a note in the article intro states that ssh is shown for illustrative purposes and that other methods are available to users; it would be out of scope for the article to show all possible ways to securely move files between machines. Graysky (talk) 19:14, 25 August 2016 (UTC)
+1. I'd even say a separate CA machine is the most simple general way here. @Francoism: Maybe in your case, but it's tricky to assume a reader runs a 'simple setup' for a task like PKI init. --Indigo (talk) 11:14, 26 August 2016 (UTC)


Should we mention to use ./build-key-pass for more security? See easy rsa key management

1. ./build-key mycert (no password protection)
2. OR ./build-key-pass mycert (with password protection)
3. OR ./build-key-pkcs12 mycert (PKCS #12 format)
4. OR ./build-key-server mycert (with nsCertType=server)
5. mycert.crt and mycert.key will be built in your
  KEY_DIR directory, and mycert.crt will be signed
  by your root CA. If ./build-key-pkcs12 was used a
  mycert.p12 file will also be created including the
  private key, certificate and the ca certificate.

Homy (talk) 22:31, 22 August 2015 (UTC)

I believe this is no longer included upstream. Graysky (talk) 23:34, 18 October 2016 (UTC)

Missing script: make-cadir

The script make-cadir is not provided by upstream but it is an addition of the Ubuntu's packager "to simplify the use of easy-rsa in Debian" [1], therefore it is not available in Arch [2].

However the content of the script is quite simple:

set -e

usage() {
	echo "Usage: $0 DIRECTORY"
	echo "Creates a *new* directory and prepares it to be used as a (CA) key management directory (to create and store keys and certificates)."
	exit 1

[ "$#" -ne 1 ] && usage
[ -e "$1" ] && { echo "$1 exists. Aborting." ; usage ; }

mkdir -p "$1"
chmod 700 "$1"
ln -s /usr/share/easy-rsa/* "$1"
rm -f "$1"/vars "$1"/*.cnf
cp /usr/share/easy-rsa/vars /usr/share/easy-rsa/*.cnf "$1"

so I suggest to replace (in the section Installing the easy-rsa scripts)

# make-cadir /root/easy-rsa


# mkdir /root/easy-rsa
# chmod 700 /root/easy-rsa
# ln -s /usr/share/easy-rsa/* /root/easy-rsa
# cp /usr/share/easy-rsa/vars /root/easy-rsa
# cp /usr/share/easy-rsa/*.cnf /root/easy-rsa

I don't use easy-rsa so I can not test those commands so I ask to those of you who use it review them and check their validity (If I don't get any response in about a week I will proceed anyway).

I went ahead and reverted the change, since "make-cadir" is completely useless for now.

Probably safe to delete this then, yes? Graysky (talk) 23:34, 18 October 2016 (UTC)

Rewrited page untested and didnt work.

Commands should executed from root and in /etc/easy-rsa. --Althathwe (talk) 10:43, 8 November 2016 (UTC)

Reverted the edits, they didn't respect ArchWiki:Contributing#Do_not_make_complex_edits_at_once either. Old revision in case someone wants to take a closer look: diff, revision -- Alad (talk) 10:50, 8 November 2016 (UTC)

Copy-paste from --Althathwe (talk) 11:21, 8 November 2016 (UTC)