On Sat, 29 Mar 2025 10:41:38 +0100, Bo Berglund <bo.bergl...@gmail.com> wrote:
>I am trying to understand how to use easyrsa 3.2.2 downloaded from github on a >freshly built RPi4B running PiOS Lite in order to create an OpenVPN server for >private use as described in a parallel thread. > >Now I have read the description document here: >https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto > >and tried to use it to set up a very simple system with two clients (myself and >my brother in law). >But I am struggling to understand the concepts still. > >I tried the section I feel is most similar to my use: > >PKI procedure: Producing your complete PKI on the CA machine > >Now I have done this after creating the vars file from the example with >extended >lifetimes set: > >1) ./easyrsa init-pki (This creates and populates the pki dir) >2) ./easyrsa --nopass build-ca >3) ./easyrsa gen-tls-crypt-key >4) ./easyrsa --nopass build-server-full HakanNew >5) ./easyrsa build-client-full BosseWien (client for myself) >6) ./easyrsa build-client-full HakanWien (client for my brother-in-law) > >Now what? >In the old times I had to copy some crypto files to the /etc/openvpn/keys dir >to >be used by the server (files listed in the server.conf file). > >The build-client-full command seems to generate an inline file for each client >as well as for the server itself. >What do I do with these? > >Do I put the server's inline file *content* into the server.conf file itself >and >skip listing the file locations? >I.e. no longer a "keys" dir inside /etc/openvpn? > >I.e. is the idea here that the server.conf file shall be self-contained, not >needing any cert/key files found by a file path? Follow-up --------- I tested it by editing my existing server.conf file and commenting out all of these lines referencing cert files etc: #Keys, Certificates, directories etc: ca /etc/openvpn/server/serverkeys/ca.crt cert /etc/openvpn/server/serverkeys/HAKANVPN.crt key /etc/openvpn/server/serverkeys/HAKANVPN.key dh /etc/openvpn/server/serverkeys/dh2048.pem tls-auth /etc/openvpn/server/serverkeys/ta.key 0 Instead I copied in the full content of the server's inline file at the end of the server.conf file. But that only resulted in a total non-starter when trying to start the service so I have probably missed something important... >And the same for the OVPN client connection files? > >Do I for instance add my client config items to the top of the inline file and >rename it as an ovpn file? > >Or what is the next step for me to get a server running properly and something >to put into the ovpn files? > >ALSO: >----- >A bit down in the document above I found a link to another github script >Easy-TLS, which seems to be needed to do something TLS related ("add the >finishing touches to your PKI"). > >But here I am lost, what is it needed for and how do I use it in my simple >case? >The inline files created above do contain a <tls-crypt> section already.... > >Grateful for a bit of clarification. -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
