-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Sat, 29 Mar 2025 10:41:38 +0100, Bo Berglund <bo.bergl...@gmail.com> wrote:
> >But I am struggling to understand the concepts still. Some help: https://github.com/OpenVPN/easy-rsa/blob/master/doc/Intro-To-PKI.md > >I tried the section I feel is most similar to my use: > > > >PKI procedure: Producing your complete PKI on the CA machine > > > >Now I have done this after creating the vars file from the example with > >extended > >lifetimes set: > > > >1) ./easyrsa init-pki (This creates and populates the pki dir) > >2) ./easyrsa --nopass build-ca > >3) ./easyrsa gen-tls-crypt-key > >4) ./easyrsa --nopass build-server-full HakanNew > >5) ./easyrsa build-client-full BosseWien (client for myself) > >6) ./easyrsa build-client-full HakanWien (client for my brother-in-law) That all looks good. > Follow-up > --------- > I tested it by editing my existing server.conf file and commenting out all of > these lines referencing cert files etc: > > #Keys, Certificates, directories etc: > ca /etc/openvpn/server/serverkeys/ca.crt > cert /etc/openvpn/server/serverkeys/HAKANVPN.crt > key /etc/openvpn/server/serverkeys/HAKANVPN.key > dh /etc/openvpn/server/serverkeys/dh2048.pem > tls-auth /etc/openvpn/server/serverkeys/ta.key 0 > > Instead I copied in the full content of the server's inline file at the end of > the server.conf file. > > But that only resulted in a total non-starter when trying to start the service > so I have probably missed something important... What error message is given ? > >ALSO: > >----- > >A bit down in the document above I found a link to another github script > >Easy-TLS, which seems to be needed to do something TLS related ("add the > >finishing touches to your PKI"). You do not need Easy-TLS. Easy-TLS is only of any value if you want to use TLS-Crypt-v2 TLS keys. I also recommend that you consider using OpenVPN peer-fingerprint mode. One advantage is that expired certificates continue to work, until you decide to remove their fingerprint from the server. Or, you could instead try using https://github.com/pivpn/pivpn pivpn would probably be ideal for you. R -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsC5BAEBCgBtBYJn6BOwCZBPl5z2a5C4nUUUAAAAAAAcACBzYWx0QG5vdGF0 aW9ucy5vcGVucGdwanMub3JnQ+lw2lD0+UmqygCzs+1vkDPNyWd7qXo3fMzy UwmjZyoWIQQJvD1EZ6ONcnnFVVVPl5z2a5C4nQAA2TMIAIfGrKzBKxWTszUy 0XRz2e07e2aZ7Iwl62nQK+LkHDCkVx7rqwMtUkjkjX57rGGmRh2PalBJHq1b eokXN3AJQYkmwosnaqbe+OPShDi66wJ3wuazBRBb71HxH1v3hVFK2CbWJa2I FVmcl12/UKrj0b9uP0VqmDxFlDDoKHL2xB8sZmQV+wVrqt5bU+i1O35rypXK EqR2lxdTeXexxf9dfRUjAlaY3VNwQNswINeQCyeoWw91gFZRlEDnBrVDTFvM nUjAmf1ykfeCP3Fd+dy36KOPCrcI0CTHf+tAAQf9agEOAz04lT0YytErb0vh DAlusYoA+Knzq4Yoyg2Nail/AQc= =6wdi -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
