Windows server update made my OpenVPN stop working

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
User avatar
TinCanTech
Forum Team
Posts: 9389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Windows server update made my OpenVPN stop working

Post by TinCanTech » Tue Mar 02, 2021 6:30 pm

Thanks very much for your co-operation, I have what I need now.

Please go ahead and do what you want to now..
If you have any further problems then please remember to post your log again.

You can start a new thread or reply to this one, which ever you prefer.

User avatar
TinCanTech
Forum Team
Posts: 9389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Windows server update made my OpenVPN stop working

Post by TinCanTech » Tue Mar 02, 2021 6:37 pm

You can also remove --route-delay 60 60 from your server config now. The default for Windows is 30.

Nahuel
OpenVpn Newbie
Posts: 19
Joined: Mon Mar 01, 2021 10:39 pm

Re: Windows server update made my OpenVPN stop working

Post by Nahuel » Tue Mar 02, 2021 6:39 pm

Great! Thanks!! :D

Nahuel
OpenVpn Newbie
Posts: 19
Joined: Mon Mar 01, 2021 10:39 pm

Re: Windows server update made my OpenVPN stop working

Post by Nahuel » Tue Jul 27, 2021 3:33 pm

TinCanTech wrote:
Tue Mar 02, 2021 5:28 pm

Next, OpenVPN is now at Version 2.5.1 and we recommend all Windows users to upgrade all servers and clients to that version. It is more secure and a tiny bit faster to initialise. Plus lots of other improvements. However, you make the decision to upgrade or not as you see fit.
https://openvpn.net/community-downloads/

Also, your PKI seems to be a little old:

Code: Select all

Diffie-Hellman initialized with 1024 bit key
1024 bit is considered to be a bit weak these days.

If you install 2.5.1 (above) you can select Custom and install Easy-RSA 3.
You can then use Easy-RSA 3 to build yourself a new PKI with modern security settings.
If you do then start by reading this:
https://github.com/OpenVPN/easy-rsa/blo ... indows.txt

If you do install Easy-RSA 3 you can also try Easy-TLS:
https://github.com/TinCanTech/easy-tls
If you do then start by reading these:
https://github.com/TinCanTech/easy-tls/ ... troduction
https://github.com/TinCanTech/easy-tls/ ... dows-Usage

I know that is a lot of work, so set your self up with a nice cup of tea and see what you think.. 8-)
Hey Tim! sorry for reopening such an old post.

I'm about to upgrade, but I couldn't find a tutorial with Easyrsa-3.

I've read this one, but it uses version 2 of Easyrsa. Then this but when I use "build-ca" it asks for a CA PassPhrase, when I enter anything, I get "extra argument given" and "Easy-RSA error: Failed to create CA private key"

I don't know if I understood it correctly, but I need to setup first the CA and clients and then use Easy-tls right?

User avatar
TinCanTech
Forum Team
Posts: 9389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Windows server update made my OpenVPN stop working

Post by TinCanTech » Tue Jul 27, 2021 4:19 pm

Nahuel wrote:
Tue Jul 27, 2021 3:33 pm
when I use "build-ca" it asks for a CA PassPhrase
See:

Code: Select all

./easyrsa help build-ca
Nahuel wrote:
Tue Jul 27, 2021 3:33 pm
I don't know if I understood it correctly, but I need to setup first the CA and clients and then use Easy-tls right?
Yes.

Coming soon: Openvpn will be able to use self-signed certificates,
which means you will not need to use Easy-RSA-3 at all.

In that case Easy-TLS can build your entire required security credentials.

Nahuel
OpenVpn Newbie
Posts: 19
Joined: Mon Mar 01, 2021 10:39 pm

Re: Windows server update made my OpenVPN stop working

Post by Nahuel » Tue Jul 27, 2021 4:20 pm

I found this post, that led me to this

I created the "C:\temp" as you suggested and used the following code from foolioo because i couldn't find the option to modify vars

Code: Select all

export EASYRSA_TEMP_DIR="C:/temp"
./easyrsa build-ca
I hope this works for the next one having this problem!

User avatar
TinCanTech
Forum Team
Posts: 9389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Windows server update made my OpenVPN stop working

Post by TinCanTech » Tue Jul 27, 2021 4:23 pm

An alternative to specifying a temp-dir is to move Easy-RSA to your Users home folder,
where there should not be any spaces in the path. eg:

Code: Select all

C:\Users\tct\easy-rsa

Nahuel
OpenVpn Newbie
Posts: 19
Joined: Mon Mar 01, 2021 10:39 pm

Re: Windows server update made my OpenVPN stop working

Post by Nahuel » Tue Jul 27, 2021 4:24 pm

TinCanTech wrote:
Tue Jul 27, 2021 4:19 pm
Nahuel wrote:
Tue Jul 27, 2021 3:33 pm
when I use "build-ca" it asks for a CA PassPhrase
See:

Code: Select all

./easyrsa help build-ca
I tried that but it replies with:

Code: Select all

build-ca [ cmd-opts ]
      Creates a new CA

      cmd-opts is an optional set of command options from this list:

        nopass  - do not encrypt the CA key (default is encrypted)
        subca   - create an intermediate CA keypair and request (default is a root CA)
        intca   - alias to the above
and didn't give me much to work with.
TinCanTech wrote:
Tue Jul 27, 2021 4:19 pm

Coming soon: Openvpn will be able to use self-signed certificates,
which means you will not need to use Easy-RSA-3 at all.

In that case Easy-TLS can build your entire required security credentials.
I hope it comes with a noob-friendly tutorial :D

Nonetheless Thank you!

User avatar
TinCanTech
Forum Team
Posts: 9389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Windows server update made my OpenVPN stop working

Post by TinCanTech » Tue Jul 27, 2021 4:37 pm

Nahuel wrote:
Tue Jul 27, 2021 4:24 pm
TinCanTech wrote:
Tue Jul 27, 2021 4:19 pm
Nahuel wrote:
Tue Jul 27, 2021 3:33 pm
when I use "build-ca" it asks for a CA PassPhrase
See:

Code: Select all

./easyrsa help build-ca
I tried that but it replies with:

Code: Select all

build-ca [ cmd-opts ]
      Creates a new CA

      cmd-opts is an optional set of command options from this list:

        nopass  - do not encrypt the CA key (default is encrypted)
        subca   - create an intermediate CA keypair and request (default is a root CA)
        intca   - alias to the above
and didn't give me much to work with.
Read it.
Nahuel wrote:
Tue Jul 27, 2021 3:33 pm
TinCanTech wrote:
Tue Jul 27, 2021 4:19 pm

Coming soon: Openvpn will be able to use self-signed certificates,
which means you will not need to use Easy-RSA-3 at all.

In that case Easy-TLS can build your entire required security credentials.
I hope it comes with a noob-friendly tutorial :D

Nonetheless Thank you!
It comes with help, which you have to read ..

Post Reply