Migrating OpenVPN server to new hardware, how to?

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
BobAGI
OpenVPN Power User
Posts: 156
Joined: Mon May 05, 2014 10:17 pm

Migrating OpenVPN server to new hardware, how to?

Post by BobAGI » Thu May 15, 2014 9:38 am

I have installed OpenVPN server on a RaspberryPi running RASPBMC.
There are issues with this making it impossible for me to get it working following a reboot without manually entering routing commands for iptables.
It has to do with the RASPBMC firewall management and after working on it a lot I have now given up.

Instead I have gotten a new Pi and installed RASPBIAN on it (a Debian offspring).
But I have already created the certificates and keys and what have you on the old Pi, so how should I go about moving this to the new server?
I don't want to re-distribute the client side key files if at all possible.

BobAGI
OpenVPN Power User
Posts: 156
Joined: Mon May 05, 2014 10:17 pm

Re: Migrating OpenVPN server to new hardware, how to?

Post by BobAGI » Thu May 15, 2014 9:51 pm

Any hint on where I can find them and how to register them with the new server?
Maybe this: /etc/openvpn/easy-rsa/keys is the correct directory?
I found the following files there:

Code: Select all

root@raspbmc:/etc/openvpn/easy-rsa/keys# ls -l
total 156
-rw------- 1 root root 4127 May  4 13:11 01.pem
-rw------- 1 root root 4005 May  4 13:14 02.pem
-rw------- 1 root root 4004 May  4 13:29 03.pem
-rw------- 1 root root 4005 May  4 13:30 04.pem
-rw------- 1 root root 4127 May  4 13:11 BBOpenVPN.crt
-rw------- 1 root root  733 May  4 13:10 BBOpenVPN.csr
-rw------- 1 root root  920 May  4 13:10 BBOpenVPN.key
-rw------- 1 root root  963 May  4 13:35 BosseASUS.3des.key
-rw------- 1 root root 4005 May  4 13:30 BosseASUS.crt
-rw------- 1 root root  733 May  4 13:29 BosseASUS.csr
-rw------- 1 root root 1041 May  4 13:29 BosseASUS.key
-rw------- 1 root root 4752 May  4 19:40 BosseASUS.ovpn
-rw------- 1 root root  963 May  4 13:35 BosseS4M.3des.key
-rw------- 1 root root 4004 May  4 13:29 BosseS4M.crt
-rw------- 1 root root  733 May  4 13:28 BosseS4M.csr
-rw------- 1 root root 1041 May  4 13:28 BosseS4M.key
-rw------- 1 root root 4752 May  4 19:40 BosseS4M.ovpn
-rw------- 1 root root  951 May  4 13:32 BosseWin7.3des.key
-rw------- 1 root root 4005 May  4 13:14 BosseWin7.crt
-rw------- 1 root root  733 May  4 13:14 BosseWin7.csr
-rw------- 1 root root 1041 May  4 13:14 BosseWin7.key
-rw------- 1 root root 4740 May  4 19:39 BosseWin7.ovpn
-rw------- 1 root root  228 May  4 18:55 Default.txt
-rw------- 1 root root 1650 May  4 19:39 MakeOPVN.sh
-rw------- 1 root root 1383 May  4 13:09 ca.crt
-rw------- 1 root root  916 May  4 13:09 ca.key
-rw------- 1 root root  245 May  4 13:40 dh1024.pem
-rw------- 1 root root  555 May  4 13:30 index.txt
-rw------- 1 root root   21 May  4 13:30 index.txt.attr
-rw------- 1 root root   21 May  4 13:29 index.txt.attr.old
-rw------- 1 root root  416 May  4 13:29 index.txt.old
-rw------- 1 root root    3 May  4 13:30 serial
-rw------- 1 root root    3 May  4 13:29 serial.old
-rw------- 1 root root  636 May  4 13:57 ta.key
Questions:
Which files do I copy over and where do they go on the other Pi? Same directory name?
Do I have to set their permissions to 600 on the target?
Is there a command I can issue from the new Pi to the old Pi (or vice versa) over the network so that the whole directory is copied over with the permissions all intact? Otherwise the files have to make a stop-over on my Windows computer...

Regarding the root cert:
Does the OpenVPN server not need the root cert in order to operate?
In that case I could not take it away on a detachable drive, surely? Then the server could not use it anymore...
Or did you mean that I should keep a backup on a separate drive?

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Migrating OpenVPN server to new hardware, how to?

Post by maikcat » Fri May 16, 2014 10:52 am

in order openvpn to work need the following files:

1)its config file
2)ca.crt
3)dhXXXX.pem
4)server.crt & server.key
5)ta.key (if any)

keep ca.key AWAY from your server in safe place..

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

BobAGI
OpenVPN Power User
Posts: 156
Joined: Mon May 05, 2014 10:17 pm

Re: Migrating OpenVPN server to new hardware, how to?

Post by BobAGI » Fri May 16, 2014 11:27 am

maikcat wrote:in order openvpn to work need the following files:
1)its config file
2)ca.crt
3)dhXXXX.pem
4)server.crt & server.key
5)ta.key (if any)
keep ca.key AWAY from your server in safe place..
Thanks,

- config file OK
- ca.crt OK
- ta.key OK
- server.crt & server.key ERR, these two are not found here...

Are the two last located elsewhere?
And you mean to keep a COPY of the ca.key file in a safe place?
What is the use of the ca.key file if it is not on the server???

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Migrating OpenVPN server to new hardware, how to?

Post by maikcat » Fri May 16, 2014 1:13 pm

server.crt & server.key ERR, these two are not found here...
server.crt & key is the certificate used on your server,which btw may not called server..

what name did you use when you created your server key? (build-key-server script)
And you mean to keep a COPY of the ca.key file in a safe place?
no copy...MOVE it!
What is the use of the ca.key file if it is not on the server???
you need to read about how TLS/SSL works.... :(
ca.key is used for your ca signs your clients certs...

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

BobAGI
OpenVPN Power User
Posts: 156
Joined: Mon May 05, 2014 10:17 pm

Re: Migrating OpenVPN server to new hardware, how to?

Post by BobAGI » Sun May 25, 2014 8:17 am

Thanks,
been away on vacation for a week, but now I need to finish the new OpenVPN server configuration.

I think I have gotten the list of needed files now so I have copied them over from the source to the target unit using scp.
I hope these are OK (my server name is BBOpenVPN):

Code: Select all

sudo -s
cd /etc/openvpn
scp -p server.conf pi@192.168.0.146:/home/pi/openvpn/
cd easy-rsa/keys
scp -p BBOpenVPN.* ca.crt dh*.pem ta.key pi@192.168.0.146:/home/pi/openvpn/serverkeys/
scp -p *.ovpn pi@192.168.0.146:/home/pi/openvpn/userkeys/
This transferred the files into my new Raspberry Pi in the /home/pi/openvpn dir.

Code: Select all

/home/pi/openvpn:
-rw------- 1 pi pi 1436 May  8 00:39 server.conf

/home/pi/openvpn/serverkeys:
total 28
-rw------- 1 pi pi 4127 May  4 13:11 BBOpenVPN.crt
-rw------- 1 pi pi  733 May  4 13:10 BBOpenVPN.csr
-rw------- 1 pi pi  920 May  4 13:10 BBOpenVPN.key
-rw------- 1 pi pi 1383 May  4 13:09 ca.crt
-rw------- 1 pi pi  245 May  4 13:40 dh1024.pem
-rw------- 1 pi pi  636 May  4 13:57 ta.key

/home/pi/openvpn/userkeys:
total 24
-rw------- 1 pi pi 4752 May  4 19:40 BosseASUS.ovpn
-rw------- 1 pi pi 4752 May  4 19:40 BosseS4M.ovpn
-rw------- 1 pi pi 4740 May  4 19:39 BosseWin7.ovpn
Now I will have to move the server files to the correct place on the new server and here is where I am getting a bit confused...

Question #1:
The tutorial I follow describes how one copies the easy-rsa example to etc:

Code: Select all

cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
Then a number of operations are performed by root at the target location to create certificates and keys, which I obviously will not need to do since I am migrating the server.
But what I don't get is why an OpenVPN server would store its important key files in a location like /etc/openvpn/easy-rsa/keys.
Why not simply /etc/openvpn/keys??
And do I really need to copy the easy-rsa example files into /etc if I will not need to build new certificates and such?

Question #2:
In the tutorial there is also a command to enter this into the /etc/openvpn/easy-rsa/vars file:

Code: Select all

export EASY_RSA="/etc/openvpn/easy-rsa"
Is this needed in my case?
I want to keep the server installation as compact as possible, so if I can get away without copying the easy-rsa example I would also not like to create the vars file...

Ideally the new server would have a directory structure like this:
/etc/openvpn (contains the server.conf file)
/etc/openvpn/keys (contains the needed key and certificate files)

And then nothing more.
Is this OK?

Question #3:
Is there a need for any client files on the server?
I have noted that when I made the ovpn files there were also some other files created (name.crt, name.csr, name.key), do they need to be moved to the new server as well?
It seems like the client only needs the ovpn file to be able to connect.

But does the server need a corresponding file to match the connection with?

BobAGI
OpenVPN Power User
Posts: 156
Joined: Mon May 05, 2014 10:17 pm

Re: Migrating OpenVPN server to new hardware, how to?

Post by BobAGI » Sun May 25, 2014 8:06 pm

Reply from myself:

Q1:
It works fine to place the server side security files in /etc/openvpn/keys.
One has just to adjust the server.conf file accordingly.

Q2:
Seems not to be needed, my migrated server works fine without it.

Q3:
Seems like the client files are not needed on the server. I could connect just fine without them.

Final problem:
After setting up "everything" as described in the tutorial (except for the certificate and key generation) it was possible to connect but I got no further. The routing was non-existing.

So I did what I had to do on my previous tests on a Pi running RASPBMC, I entered this command manually:

Code: Select all

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.146
After this the routing started working as it should.

And unlike the case with the RASPBMC distribution, the iptables command above survived a reboot of the system so the routing also works if the server restarts.

So in summary:
I have successfully migrated the OpenVPN server to new hardware while keeping the already created certificates and keys.
Thanks for the help I have received here!

BobAGI
OpenVPN Power User
Posts: 156
Joined: Mon May 05, 2014 10:17 pm

Re: Migrating OpenVPN server to new hardware, how to?

Post by BobAGI » Sun May 25, 2014 9:34 pm

debbie10t wrote:Did you create a new PKI post heartbleed ?
topic15526.html
How can I know?
I mean how can I find out if the server is using the fixed software?

BobAGI
OpenVPN Power User
Posts: 156
Joined: Mon May 05, 2014 10:17 pm

Re: Migrating OpenVPN server to new hardware, how to?

Post by BobAGI » Sun May 25, 2014 10:08 pm

I started installing OpenVPN in beginning of May 2014 on another Pi where I did all the updates before I started.
The resulting crt and key files are all dated May 4, which is when they were created.
I really think that this is well after the fix was made.

My migration is caused by the inability to set up a server that will survive a reboot of the Pi when it runs RASPBMC as operating system.
So I bought a new Pi and installed RASPBIAN instead but I did not want to start over on the client side as well so that is why I started this thread for advice on how to migrate the server.
Turns out that as a side effect I got to learn exactly which files are needed and which should be removed from the server for security reasons....
So the new server is leaner than the original.

By the way, last week I found that there is a connectivity difference between OpenVPN and PPTP VPN.
I was traveling to Austria and I tested the connections on various WiFi networks on hotels, airports and other places.
Every time the OpenVPN connected just fine while PPTP quite often timed out while trying to connect.
My take on this is that whatever protocol the PPTP system is using is not well supported by routers at these WiFi hotspots whereas the OpenVPN use of only a single UDP connection manages to always connect! :D

madial3368
OpenVpn Newbie
Posts: 7
Joined: Wed Aug 26, 2020 7:37 am

Re: Migrating OpenVPN server to new hardware, how to?

Post by madial3368 » Wed Apr 28, 2021 2:34 pm

Hi BobAGI. I have a similar situation that you had at old 2014, and it was interesting to read your "story" :)

I wanted to ask some questions and will appreciate for your reply. I have fully worked pfsense (freebsd) with openvpn. I have to create another server but not PFsense based, just openvpn application on debian linux, and want to somehow export my main CA,server keys/certs from PFsense, and then import to my Openvpn on Debian, so my existing clients that connecting to my Pfsense, can connect to my new openvpn server.
As I understood, there is no need to export/import, I can just copy/paste existing keys and use it on second server, without changing my clients keys, and they can successfully connect to the second server?

Post Reply