OpenVPN Support Forum

TinCanTech wrote: ↑

Tue Mar 02, 2021 5:28 pm

Next, OpenVPN is now at Version 2.5.1 and we recommend all Windows users to upgrade all servers and clients to that version. It is more secure and a tiny bit faster to initialise. Plus lots of other improvements. However, you make the decision to upgrade or not as you see fit.
https://openvpn.net/community-downloads/

Also, your PKI seems to be a little old:

Code: Select all

Diffie-Hellman initialized with 1024 bit key

1024 bit is considered to be a bit weak these days.

If you install 2.5.1 (above) you can select Custom and install Easy-RSA 3.
You can then use Easy-RSA 3 to build yourself a new PKI with modern security settings.
If you do then start by reading this:
https://github.com/OpenVPN/easy-rsa/blo ... indows.txt

If you do install Easy-RSA 3 you can also try Easy-TLS:
https://github.com/TinCanTech/easy-tls
If you do then start by reading these:
https://github.com/TinCanTech/easy-tls/ ... troduction
https://github.com/TinCanTech/easy-tls/ ... dows-Usage

I know that is a lot of work, so set your self up with a nice cup of tea and see what you think..

Nahuel wrote: ↑

Tue Jul 27, 2021 3:33 pm

when I use "build-ca" it asks for a CA PassPhrase

./easyrsa help build-ca

Nahuel wrote: ↑

Tue Jul 27, 2021 3:33 pm

I don't know if I understood it correctly, but I need to setup first the CA and clients and then use Easy-tls right?

TinCanTech wrote: ↑

Tue Jul 27, 2021 4:19 pm

Nahuel wrote: ↑

Tue Jul 27, 2021 3:33 pm

when I use "build-ca" it asks for a CA PassPhrase

See:

Code: Select all

./easyrsa help build-ca

build-ca [ cmd-opts ]
      Creates a new CA

      cmd-opts is an optional set of command options from this list:

        nopass  - do not encrypt the CA key (default is encrypted)
        subca   - create an intermediate CA keypair and request (default is a root CA)
        intca   - alias to the above

TinCanTech wrote: ↑

Tue Jul 27, 2021 4:19 pm

Coming soon: Openvpn will be able to use self-signed certificates,
which means you will not need to use Easy-RSA-3 at all.

In that case Easy-TLS can build your entire required security credentials.

Nahuel wrote: ↑

Tue Jul 27, 2021 4:24 pm

TinCanTech wrote: ↑

Tue Jul 27, 2021 4:19 pm

Nahuel wrote: ↑

Tue Jul 27, 2021 3:33 pm

when I use "build-ca" it asks for a CA PassPhrase

See:

Code: Select all

./easyrsa help build-ca

I tried that but it replies with:

Code: Select all

build-ca [ cmd-opts ]
      Creates a new CA

      cmd-opts is an optional set of command options from this list:

        nopass  - do not encrypt the CA key (default is encrypted)
        subca   - create an intermediate CA keypair and request (default is a root CA)
        intca   - alias to the above

and didn't give me much to work with.

Nahuel wrote: ↑

Tue Jul 27, 2021 3:33 pm

TinCanTech wrote: ↑

Tue Jul 27, 2021 4:19 pm

Coming soon: Openvpn will be able to use self-signed certificates,
which means you will not need to use Easy-RSA-3 at all.

In that case Easy-TLS can build your entire required security credentials.

I hope it comes with a noob-friendly tutorial

Nonetheless Thank you!