Talk:Easy-RSA

From ArchWiki
Latest comment: 17 October 2020 by MrHritik in topic Using build-serverClient-full

Have the instructions been tested?

Keep getting errors (certificates invalid,, etc.), server key is not copied to /etc/openvpn, .. please test again, and fix the edits when needed. Because at the moment it's not possible to setup OpenVPN. Francoism (talk) 13:09, 28 August 2016 (UTC)Reply

Yes, they have been tested. I cannot reproduce either of the comments you wrote in your accuracy flags this following these steps from start to finish creating the ovpn file. Suggest you try again. Graysky (talk) 17:01, 28 August 2016 (UTC)Reply
Actually, I missed one step (copying the server.key to /etc/openvpn) but that omission does not explain the errors you posted. Again, I think you should just start over and you'll be fine. Graysky (talk) 17:16, 28 August 2016 (UTC)Reply
Hi Graysky, finally found time to start over, turns out your ovpngenAUR and other generators I tried, don't copy the CA-certificate (yeah, should have check this). Maybe this happens because of permission issues. Is it helpful to add this as a note (e.g. what tags should (not) be empty?) Thanks. Francoism (talk) 21:06, 17 October 2016 (UTC)Reply
Did you invoke it as root or via sudo like the readme instructs? The CA Cert is the 2nd token. Graysky (talk) 21:14, 17 October 2016 (UTC)Reply
Don't know for sure to be honest, thought under root. But if this should work fine, it is an issue at my end. The command was executed correctly, didn't receive any error. Is it possible security tools block access (like AppArmor) and just return an empty file instead? Thanks Francoism (talk) 09:00, 18 October 2016 (UTC)Reply
More likely, the needed files are not world-readable (default is 700 for many of them). Run the script as root and you'll be fine in all likelihood. Graysky (talk) 19:29, 18 October 2016 (UTC)Reply
Try version 1.24 of ovpngenAUR which contains some internal checks for file permissions and physical existence. Graysky (talk) 19:53, 18 October 2016 (UTC)Reply
Thanks for the update, will try and report back to you. :) Francoism (talk) 08:45, 19 October 2016 (UTC)Reply

Rewrited page untested and didnt work.

Commands should executed from root and in /etc/easy-rsa. --Althathwe (talk) 10:43, 8 November 2016 (UTC)Reply

Reverted the edits, they didn't respect ArchWiki:Contributing#Do_not_make_complex_edits_at_once either. Old revision in case someone wants to take a closer look: diff, revision -- Alad (talk) 10:50, 8 November 2016 (UTC)Reply
Copy-paste from https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto --Althathwe (talk) 11:21, 8 November 2016 (UTC)Reply
I am sorry for making a complex edit at once. It did feel intrusive, but I did it nonetheless. It did not adhere to ArchWiki:Contributing#Do_not_make_complex_edits_at_once, so that was a mistake.
The current state of this article highly complex and hard to understand, in my opinion. It is actually not helping, it's easier to follow upstream docs. It does not explain complex subjects like PKI, CA and CSR.
Easy-RSA commands should not be executed as root. I find it a terrible idea. You could just as well execute the commands as a non-privileged user and transfer the generated files to /etc/easy-rsa. I expect the user to make that decision for herself.
Overall, I would like this article to be simpler and be more The Arch Way. How do we proceed to do that?
Aude (talk) 12:55, 8 November 2016 (UTC)Reply
Easy-RSA commands should be executed as root and in /etc/easy-rsa:
[user@v-arch-1 ~]$ easyrsa init-pki
WARNING: can't open config file: /home/user/openssl-1.0.cnf
Easy-RSA error:
The OpenSSL config file cannot be found.
Expected location: /home/user/openssl-1.0.cnf
[user@v-arch-1 easy-rsa]$ easyrsa init-pki 
mkdir: cannot create directory ‘/etc/easy-rsa/pki’: Permission denied
Easy-RSA error:
Failed to create PKI file structure (permissions?)
This page so complex because it explains how to setup PKI and generate everything for OpenVPN. This is not just instruction how to use Easy-RSA. --Althathwe (talk) 13:36, 8 November 2016 (UTC)Reply
Easy-rsa does not require root itself but for access to /etc/easy-rsa where easy-rsa installed by default in Arch (and suppossed be used in?). In Fedora easy-rsa installed in /usr/share/easy-rsa/ and supposed be copied somewhere else for work. --Althathwe (talk) 17:11, 8 November 2016 (UTC)Reply

Improving the page.

  • Should page contain repeated several times instructions for copying files between machines through scp? Maybe better add detailed example to SCP and SFTP and link to it?
  • Page should contain information that ta.key should be shared among all peers.
  • Should 'Client certificate and private key' have double example? 'Server certificate and private key' doesn't have.
  • Should page use 'easyrsa gen-dh' instead of 'openssl dhparam' as upstream documentation? At this moment 'easyrsa gen-dh' (through openssl) generate dh.pem with prime number length matched to length of rsa key but didn't have output option. --Althathwe (talk) 17:11, 8 November 2016 (UTC)Reply

easyrsa init-pki is used wrong in documentation, isn't it?

Maybe I am wrong: But if I would use init-pki for initializing to create server and client key pairs like it is advised, then I delete my CA in the pki dir. Please take look and confirm or decline:

Easy-RSA#Server_certificate_and_private_key

Easy-RSA#Client_certificate_and_private_key

YaH (talk) 21:31, 28 March 2017 (UTC)Reply

Using build-serverClient-full

easyrsa can now create both the certs without much issue, should we include this option in the wiki ? MrHritik (talk) 20:12, 17 October 2020 (UTC)Reply