Help! OpenVPN server on Raspberry Pi - easyrsa has changed....

[BobAGI]

I have set up a number of OpenVPN servers over the years using Raspberry Pi as platform.
When I started 5-6 years ago I documented the procedure so I could repeat it on new hardware and this worked fine so far.
But now I am on a system with Raspbian Buster operating system and I installed openvpn using this command:

Code: Select all

sudo apt -y install openvpn openssl

The installation gave me openvpn version 2.4.7 and openssl 1.1.1c 28 May 2019, LZO 2.10

Next step was to use easy-rsa to create the certs and keys, but here my documented infrastructure relies on easy-rsa with the following installed structure:

Code: Select all

 $ ls -l  /usr/share/easy-rsa
total 112
-rwxr-xr-x 1 root root   119 Jan  7  2014 build-ca
-rwxr-xr-x 1 root root   352 Jan  7  2014 build-dh
-rwxr-xr-x 1 root root   188 Jan  7  2014 build-inter
-rwxr-xr-x 1 root root   163 Jan  7  2014 build-key
-rwxr-xr-x 1 root root   157 Jan  7  2014 build-key-pass
-rwxr-xr-x 1 root root   249 Jan  7  2014 build-key-pkcs12
-rwxr-xr-x 1 root root   268 Jan  7  2014 build-key-server
-rwxr-xr-x 1 root root   213 Jan  7  2014 build-req
-rwxr-xr-x 1 root root   158 Jan  7  2014 build-req-pass
-rwxr-xr-x 1 root root   449 Jan  7  2014 clean-all
-rwxr-xr-x 1 root root  1471 Jan  7  2014 inherit-inter
-rwxr-xr-x 1 root root   302 Jan  7  2014 list-crl
-rw-r--r-- 1 root root  7859 Jan  7  2014 openssl-0.9.6.cnf
-rw-r--r-- 1 root root  8416 Jan  7  2014 openssl-0.9.8.cnf
-rw-r--r-- 1 root root  8313 Jan  7  2014 openssl-1.0.0.cnf
-rwxr-xr-x 1 root root 13246 Jan  7  2014 pkitool
-rwxr-xr-x 1 root root  1035 Jan  7  2014 revoke-full
-rwxr-xr-x 1 root root   178 Jan  7  2014 sign-req
-rw-r--r-- 1 root root  2077 Jan  7  2014 vars
-rwxr-xr-x 1 root root   740 Jan  7  2014 whichopensslcnf

But when I check on the new Buster system I see this:

Code: Select all

 $  ls -l  /usr/share/easy-rsa
total 72
-rwxr-xr-x 1 root root 48730 Feb  8 15:53 easyrsa
-rw-r--r-- 1 root root  4651 Feb  8 15:53 openssl-easyrsa.cnf
-rw-r--r-- 1 root root  8576 Feb  8 15:53 vars.example
drwxr-xr-x 2 root root  4096 Jul  6 23:56 x509-types

So where are all the needed scripts and is there a migration how-to for users coming from the old easy-rsa structure?
I have built a number of my own helper scripts in order to simplify installation on new systems but they call the scripts in the original easy-rsa, which no longer exist....

Do I really need to start over searching the net for how to set up an OpenVPN server again?

EDIT, ADDITIONAL INFO:
In my old notes from the previous installations I can see that I used the following commands from easy-rsa after
editing the vars file first:

Code: Select all

source vars  (I understand this is no longer needed)
./clean-all
./build-ca
./build-key-server MYVPN
./build-dh
openvpn --genkey --secret keys/ta.key

Then I also have a separate process for generating the client keys and certificates:

Code: Select all

./build-key-pass <ClientName>
./build-key-3des <ClientName>
openssl rsa -in <ClientName>.key -des3 -out <ClientName>.3des.key

This creates the following crypto files:

Code: Select all

<ClientName>.crt
<ClientName>.csr
<ClientName>.key
<ClientName>.3des.key

Using these I have a script that packages these and the default client config into an OVPN file for distribution to the client.

I have now tried the new easy-rsa and I have performed the init-pki and build-ca steps but now I no longer find a correspondence with the old commands and what is listed by the help command...
Where do I go next?

Can easy-rsa 2 still be used with OpenVPN 2.4.7?
If so how can I get it into my new system? Copy from my old Raspberries?

[TinCanTech]

Version 2.2.2 here:
https://github.com/OpenVPN/easy-rsa/releases

[BobAGI]

Thanks,
I downloaded it and use the Linux version 2.
On advice from this bug report page I had to modify line 6 of the openssl-1.1.0.cnf file (I made it as a copy of the openssl-1.0.0.cnf file) as follows:

Code: Select all

#RANDFILE               = $ENV::HOME/.rnd

This commenting out of the line stops the error otherwise appearing about not finding the .rnd file.

Question:
I am still getting this message in now:

Code: Select all

pi@rpi2-hakanvpn:~/openvpn/easy-rsa2 $ ./build-key-pass ClientName
Ignoring -days; not generating a certificate  <== Why is this displayed?
Generating a RSA private key

What is it ignoring and why is it telling me it is not generating a certificate?
Do I have to find the cause for this and solve the problem or is it just a hint?

[dirtyfrank]

Hi,

I had the same issue and this tutorial helped me on easyrsa 3:https://www.howtoforge.com/tutorial/how ... -centos-7/