[feature request] Make easy-rsa work in terms of user-level OpenVPN setup about easy-rsa HOT 6 CLOSED

Hi, I'm not sure it's EasyRSA's job to do your OpenVPN config for you.

EasyRSA aims not only to inter-operate with PKI needs for OpenVPN, but a variety of other PKI tasks. On top of this, OpenVPN configuration is an art all on its own, which is why the OpenVPN project maintains an official how-to on just this topic.

It sounds to me like what you want is an OpenVPN configuration frontend, which is not what this project aims to be.

This said, I'm open to suggestions to improve the X.509 and PKI-centric outputs EasyRSA provides. Is there a technical or documentation issue figuring out how to produce a CRL, or PKCS#12 (aka a "p12" file) from EasyRSA? If you can explain what you're trying to do and where you have it a wall, perhaps I can either point you to existing documentation or identify a more concrete area suitable for this project to improve.

Remember that EasyRSA could be used for a variety of purposes, including but not limited to OpenVPN, https, smtps, imaps, ipsec, and many other X.509 implementations. This project does not aim to generate "ready to use" configs for every application these protocols support; instead, EasyRSA aims to prevent users from needing to become OpenSSL and/or X.509 experts to begin using PKI productively.

from easy-rsa.

OpenSSL setup is what I needed, I am sure it does many other things.

And still I had to extensively google for how to use. And I came across of many HOWTOs which is never a good thing. The closest to usable was to 'git clone' EasyRSA for every operation because of some paths issue.

Even when I look at FreeBSD port of EasyRSA, it does this:

# . /usr/local/share/easy-rsa/vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/yuri/VPN-RSA-keys
[root@yuri /home/yuri/github/tiny-dhcp-server]# ./clean-all
bash: ./clean-all: No such file or directory

So why does it say './clean-all' if it didn't even try to set any path then? There is the path problem right there.

And my OP is a wish list: what interface users really expect from the software like this.

from easy-rsa.

clean-all is an EasyRSA 2.x concept. This version is dead, and all but unsupported today.

Have you tried EasyRSA 3.x? This version does not require any "vars" file to use, and out of the box it is designed to work with OpenVPN. Further, there is a howto specifically for use with OpenVPN and EasyRSA 3 on the OpenVPN wiki, here, with nearly copy-and-paste friendly examples: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

Generally speaking, you're expected to be in the directory you want your pki to be created in. In the case of EasyRSA 3.x, if you invoke it from a directory of /some/where/ it assumes you want your PKI in /some/where/pki (with overrides possible via a variety of methods, from CLI, to env-vars, to a 'vars' file.)

Take a look at the referenced howto since you seem to want an OpenVPN-centric introduction to using EasyRSA.

from easy-rsa.

Ok, I will take a look, thanks.

from easy-rsa.

Closing. No longer focusing on 2.x series. Also, as QueuingKoala suggested, this is more an OpenVPN configuration issue and not so much as Easy-RSA issue.

from easy-rsa.

wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz
gzip -dc EasyRSA-3.0.7.tgz |  tar xvf -
export PATH=`pwd`/EasyRSA-3.0.7
cp `pwd`/EasyRSA-3.0.7/vars.example `pwd`/EasyRSA-3.0.7/vars
vim `pwd`/EasyRSA-3.0.7/vars

easyrsa init-pki # initialize directory structure of easy-rsa
easyrsa build-ca nopass # initialize your own certification authority

easyrsa build-server-full myserver1 nopass

DD-WRT server in turn asks for these values:

* Public Server Cert

./pki/reqs/myserver1.crt

* Private Server Key

./pki/private/myserver1.key

* DH PEM

Run easyrsa gen-dh, the file will appear in ./pki/dh.pem

* Additional Config

* TLS Auth Key

The file can be created with

openvpn --genkey --secret server/pki/ta.key, copy it to both server and clients and set the variable to 0 or 1, respectively, in openvpn.conf, as shown below

# on server
tls-auth /etc/openvpn/iresite/ta.key 0

# on client
tls-auth /etc/openvpn/iresite/ta.key 0

* Certificate Revoke List

You need to create client key/crl pairs. Openvpn states they should be signed with different CA (not by the one used to sign your server certificates).

In theory, this should work easyrsa build-client-full myclient1 nopass but it uses same CA as for the server. Also, OpenVPN client config file should point the the ca.crt used for signing server certs, whereas server config file should point to the ca.crt used to sign client certificates. Easy-RSA does not provide hooks to re-define the name of ca.crt to say ca-server.crt and ca-clients.crt.

https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

https://openvpn.net/community-resources/important-note-on-possible-man-in-the-middle-attack-if-clients-do-not-verify-the-certificate-of-the-server-they-are-connecting-to/

https://securitronlinux.com/bejiitaswrath/how-to-create-keys-with-easy-rsa-without-a-password-prompt/

https://superuser.com/questions/1446201/openvpn-certificate-does-not-have-key-usage-extension

https://superuser.com/questions/738612/openssl-ca-keyusage-extension/1248085#1248085

To check what the certificates you have contain, use:

openssl x509 -in myserver1.crt -noout -text
openssl x509 -in myclient1.crt -noout -text
openssl x509 -in ca.crt -noout -text

from easy-rsa.