On Mon, 17 Feb 2025 16:28:36 +0100, Bo Berglund <bo.bergl...@gmail.com> wrote:
>So I have migrated my old Ubuntu Server 20.04.1 to version 24.04.1 and then to >new hardware on a new install of Ubuntu version 24.04.1. > >The hardware migration was done as a fresh Ubuntu install followed by >installing >the support for all the functions handled by the server (Apache and Subversion >among others) and migrating the configuration files. > >Now I have come to the OpenVPN part and regarding the infrastructure to manage >the server logins and certs etc I have this question: > >On the old server I have migrated over the years through easyrsa versions up to >3.1.5, which is what is now used there. > >Can I just copy over the directory tree in $HOME/openvpn where all the >management stuff resides and then replace easyrsa with the now latest version >from Github (3.2.2) without editing my scripts that use easyrsa? BACK AGAIN... So that was the plan before I had actually dived into the new server configuration.... Now after having seen the issues when copying the other old stuff into the new server I am re-thinking OpenVPN a bit.... Since it is rather old cert-wise it will expire in a couple of years anyway so I thought that it might be better to just start over and create a fresh server with new certs etc so it will last a lot longer. Of course I will have to issue new client ovpn files for the new server but there are not that many anyway and I have a log of all of them so I can replicate and send the new files out when I will switch to the new server. Meanwhile they can run in parallel, I just have to modify port forwards on the router to get to the correct OVPN server... So I have looked at my old notes on setting up an OpenVPN system from scratch using easyrsa2 but updated for easyrsa 3.1.5 And now I am also reading the README.quickstart.md that comes along with 3.2.2 Here I have a few initial questions due to the differences I see: In my old notes I had these initial steps to create the PKI: $ ./easyrsa init-pki $ ./easyrsa --nopass build-ca $ ./easyrsa --nopass build-server-full server1 $ ./easyrsa --nopass build-client-full client1 $ openvpn --genkey tls-crypt tls-crypt.key Then I could start creating logins using my script for easyrsa3. In the new readme I have seen this: 1. Choose a system to act as your CA and create a new PKI and CA (I do not understand this.. What system is referenced? I am doing this on my new server...) ./easyrsa init-pki ./easyrsa build-ca 2). On the system that is requesting a certificate, init its own PKI and generate a keypair/request. Note that init-pki is used _only_ when this is done on a separate system (or at least a separate PKI dir.) This is the recommended procedure. If you are not using this recommended procedure, skip the next import-req step. (Again what does this mean? I am, only dealing with a single server which I try to set up from scratch.) ./easyrsa init-pki ./easyrsa gen-req EntityName Should I just disregard the quickstart file in easyrsa 3.2.2? And use my old method instead... -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
