Comments (6)
Hi, I'm not sure it's EasyRSA's job to do your OpenVPN config for you.
EasyRSA aims not only to inter-operate with PKI needs for OpenVPN, but a variety of other PKI tasks. On top of this, OpenVPN configuration is an art all on its own, which is why the OpenVPN project maintains an official how-to on just this topic.
It sounds to me like what you want is an OpenVPN configuration frontend, which is not what this project aims to be.
This said, I'm open to suggestions to improve the X.509 and PKI-centric outputs EasyRSA provides. Is there a technical or documentation issue figuring out how to produce a CRL, or PKCS#12 (aka a "p12" file) from EasyRSA? If you can explain what you're trying to do and where you have it a wall, perhaps I can either point you to existing documentation or identify a more concrete area suitable for this project to improve.
Remember that EasyRSA could be used for a variety of purposes, including but not limited to OpenVPN, https, smtps, imaps, ipsec, and many other X.509 implementations. This project does not aim to generate "ready to use" configs for every application these protocols support; instead, EasyRSA aims to prevent users from needing to become OpenSSL and/or X.509 experts to begin using PKI productively.
from easy-rsa.
OpenSSL setup is what I needed, I am sure it does many other things.
And still I had to extensively google for how to use. And I came across of many HOWTOs which is never a good thing. The closest to usable was to 'git clone' EasyRSA for every operation because of some paths issue.
Even when I look at FreeBSD port of EasyRSA, it does this:
# . /usr/local/share/easy-rsa/vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/yuri/VPN-RSA-keys
[root@yuri /home/yuri/github/tiny-dhcp-server]# ./clean-all
bash: ./clean-all: No such file or directory
So why does it say './clean-all' if it didn't even try to set any path then? There is the path problem right there.
And my OP is a wish list: what interface users really expect from the software like this.
from easy-rsa.
clean-all is an EasyRSA 2.x concept. This version is dead, and all but unsupported today.
Have you tried EasyRSA 3.x? This version does not require any "vars" file to use, and out of the box it is designed to work with OpenVPN. Further, there is a howto specifically for use with OpenVPN and EasyRSA 3 on the OpenVPN wiki, here, with nearly copy-and-paste friendly examples: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
Generally speaking, you're expected to be in the directory you want your pki to be created in. In the case of EasyRSA 3.x, if you invoke it from a directory of /some/where/ it assumes you want your PKI in /some/where/pki (with overrides possible via a variety of methods, from CLI, to env-vars, to a 'vars' file.)
Take a look at the referenced howto since you seem to want an OpenVPN-centric introduction to using EasyRSA.
from easy-rsa.
Ok, I will take a look, thanks.
from easy-rsa.
Closing. No longer focusing on 2.x series. Also, as QueuingKoala suggested, this is more an OpenVPN configuration issue and not so much as Easy-RSA issue.
from easy-rsa.
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz
gzip -dc EasyRSA-3.0.7.tgz | tar xvf -
export PATH=`pwd`/EasyRSA-3.0.7
cp `pwd`/EasyRSA-3.0.7/vars.example `pwd`/EasyRSA-3.0.7/vars
vim `pwd`/EasyRSA-3.0.7/vars
easyrsa init-pki # initialize directory structure of easy-rsa
easyrsa build-ca nopass # initialize your own certification authority
easyrsa build-server-full myserver1 nopass
DD-WRT server in turn asks for these values:
* Public Server Cert
./pki/reqs/myserver1.crt
* Private Server Key
./pki/private/myserver1.key
* DH PEM
Run easyrsa gen-dh
, the file will appear in ./pki/dh.pem
* Additional Config * TLS Auth Key
The file can be created with
openvpn --genkey --secret server/pki/ta.key
, copy it to both server and clients and set the variable to 0 or 1, respectively, in openvpn.conf, as shown below
# on server
tls-auth /etc/openvpn/iresite/ta.key 0
# on client
tls-auth /etc/openvpn/iresite/ta.key 0
* Certificate Revoke List
You need to create client key/crl pairs. Openvpn states they should be signed with different CA (not by the one used to sign your server certificates).
In theory, this should work easyrsa build-client-full myclient1 nopass
but it uses same CA as for the server. Also, OpenVPN client config file should point the the ca.crt used for signing server certs, whereas server config file should point to the ca.crt used to sign client certificates. Easy-RSA does not provide hooks to re-define the name of ca.crt
to say ca-server.crt
and ca-clients.crt
.
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
https://superuser.com/questions/1446201/openvpn-certificate-does-not-have-key-usage-extension
https://superuser.com/questions/738612/openssl-ca-keyusage-extension/1248085#1248085
To check what the certificates you have contain, use:
openssl x509 -in myserver1.crt -noout -text
openssl x509 -in myclient1.crt -noout -text
openssl x509 -in ca.crt -noout -text
from easy-rsa.
Related Issues (20)
- mandatory SAN HOT 16
- EasyRSA Behavior Change - 3.0.8 - 3.2.0 - EASYRSA_REQ_CN / --req-cn /--subject-alt-name HOT 18
- LibreSSL: `build-*-full` uses an incorrect SSL config file HOT 1
- UT failure from `easyrsa-tools.lib` for command `show-expire`
- Importing the CA certificates for OpenVPN clients and internal domains. HOT 1
- Outline use and expansion of `openssl-easyrsa.cnf` HOT 1
- Windows 7: `gen-crl` always prompts for over-write
- `display_dn()`: Remove unnecessary subshell
- `sign-req`: `--cop-ext` is removed by `--force-safe-ssl`
- Command `write`: Allow to specify target file instead of directory
- Use of `revoke` when `revoke-expired` is intended
- one location HOT 1
- Command `revoke` must not move key and request files
- `gen-req` overwrites an existing request without confirmation
- Need Guide for Upgrading 3.0.8 to 3.1.1 HOT 1
- Understanding how to renew/revoke HOT 2
- subjectAltName should be mandatory HOT 6
- Generate client certs and keys non-interactively on Windows HOT 3
- Consider re-adding `renew` for v3.2.1 - Only v3.2.0 does not have `renew`
- Signing a CSR gives strange result HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from easy-rsa.