Re: OpenVPN & Debian Stretch
Thanks. I'll install openvpn, and easy-rsa on a test computer and see what it does, before installing it on my server. Wayne Sallee wa...@waynesallee.com http://www.WayneSallee.com On 09/05/2018 08:51 AM, Dan Ritter wrote: easy-rsa is basically a series of scripts to get openssl to do the right thing for you, consistently.
Re: OpenVPN & Debian Stretch
On 09/05/2018 08:51 AM, Dan Ritter wrote: On Wed, Sep 05, 2018 at 06:56:44AM -0400, Wayne Sallee wrote: On 09/05/2018 06:30 AM, Dan Purgert wrote: Dan Ritter wrote: On Wed, Sep 05, 2018 at 12:29:02AM -, Dan Purgert wrote: Dan Ritter wrote: On Tue, Sep 04, 2018 at 07:42:58PM -0400, Wayne Sallee wrote: Has anyone set up OpenVPN with ssh-keygen -t rsa ? Technically, you can do that. ssh-keygen generates ssh keys, not x.509 certificates ... An x.509 cert contains an RSA key signed by a CA. openssl can do the signing, at which point you've half-reimplemented easy-rsa. -dsr- Sure - but it just seems silly to use ssh-keygen, then openssl to convert it to the right format when openssl (or the easy-rsa wrapper thereto) can do all the work for you in one go. Ok, then it would be better to use openssl instead of ssh-keygen? I'm looking at putting OpenVPN on an established server, and wondering if it is really nessesary to install easy-rsa when I already have established ways of generating ssh keys. easy-rsa is basically a series of scripts to get openssl to do the right thing for you, consistently. Do that. Alternatively, look into installing wireguard from unstable. (It won't drag in anything weird.) Wireguard matches your conception of how a VPN should work -- and is currently being integrated into the Linux kernel, because practically everybody likes it better than OpenVPN, and most people prefer it to IPsec. -dsr- Thanks for the tip about wireguard. It's still beta, but it looks promising. Wayne Sallee wa...@waynesallee.com http://www.WayneSallee.com
Re: OpenVPN & Debian Stretch
Wayne Sallee wrote: > I will also be installing OpenVPN on Debian Stretch (Debian 9). What > problems are you having? go for installation - there are no problems discussed here - only how one should generate the certificate for the client. The easy-rsa is a set of scripts that makes generation of client certificates really easy. You may need however to read some good how to. I used the debians howto : https://wiki.debian.org/OpenVPN it was may be 7 or 8y ago - the how to is now even better regards
Re: OpenVPN & Debian Stretch
On Wed, Sep 05, 2018 at 06:56:44AM -0400, Wayne Sallee wrote: > > > On 09/05/2018 06:30 AM, Dan Purgert wrote: > > Dan Ritter wrote: > > > On Wed, Sep 05, 2018 at 12:29:02AM -, Dan Purgert wrote: > > > > Dan Ritter wrote: > > > > > On Tue, Sep 04, 2018 at 07:42:58PM -0400, Wayne Sallee wrote: > > > > > > Has anyone set up OpenVPN with ssh-keygen -t rsa ? > > > > > > > > > > > Technically, you can do that. > > > > ssh-keygen generates ssh keys, not x.509 certificates ... > > > An x.509 cert contains an RSA key signed by a CA. openssl can do > > > the signing, at which point you've half-reimplemented easy-rsa. > > > > > > -dsr- > > Sure - but it just seems silly to use ssh-keygen, then openssl to > > convert it to the right format when openssl (or the easy-rsa wrapper > > thereto) can do all the work for you in one go. > > > > > Ok, then it would be better to use openssl instead of ssh-keygen? > > I'm looking at putting OpenVPN on an established server, and wondering if it > is really nessesary to install easy-rsa when I already have established ways > of generating ssh keys. easy-rsa is basically a series of scripts to get openssl to do the right thing for you, consistently. Do that. Alternatively, look into installing wireguard from unstable. (It won't drag in anything weird.) Wireguard matches your conception of how a VPN should work -- and is currently being integrated into the Linux kernel, because practically everybody likes it better than OpenVPN, and most people prefer it to IPsec. -dsr-
Re: OpenVPN & Debian Stretch
On 09/04/2018 06:47 PM, Josh W. wrote: Debian Users, I am having a terrible time setting up a free VPN Service! Could "Any Body" point me to an UP To Date way. to set up OpenVPN on Debian Stretch? Your Help is Much Needed!!! Thank you! Joshua mailto:joshw8...@gmail.com>> I will also be installing OpenVPN on Debian Stretch (Debian 9). What problems are you having? Wayne Sallee wa...@waynesallee.com http://www.WayneSallee.com
Re: OpenVPN & Debian Stretch
On 09/05/2018 06:30 AM, Dan Purgert wrote: Dan Ritter wrote: On Wed, Sep 05, 2018 at 12:29:02AM -, Dan Purgert wrote: Dan Ritter wrote: On Tue, Sep 04, 2018 at 07:42:58PM -0400, Wayne Sallee wrote: Has anyone set up OpenVPN with ssh-keygen -t rsa ? Technically, you can do that. ssh-keygen generates ssh keys, not x.509 certificates ... An x.509 cert contains an RSA key signed by a CA. openssl can do the signing, at which point you've half-reimplemented easy-rsa. -dsr- Sure - but it just seems silly to use ssh-keygen, then openssl to convert it to the right format when openssl (or the easy-rsa wrapper thereto) can do all the work for you in one go. Ok, then it would be better to use openssl instead of ssh-keygen? I'm looking at putting OpenVPN on an established server, and wondering if it is really nessesary to install easy-rsa when I already have established ways of generating ssh keys. Wayne Sallee wa...@waynesallee.com http://www.WayneSallee.com
Re: OpenVPN & Debian Stretch
Dan Ritter wrote: > On Wed, Sep 05, 2018 at 12:29:02AM -, Dan Purgert wrote: >> Dan Ritter wrote: >> > On Tue, Sep 04, 2018 at 07:42:58PM -0400, Wayne Sallee wrote: >> >> Has anyone set up OpenVPN with ssh-keygen -t rsa ? >> >> >> > >> > Technically, you can do that. >> >> ssh-keygen generates ssh keys, not x.509 certificates ... > > An x.509 cert contains an RSA key signed by a CA. openssl can do > the signing, at which point you've half-reimplemented easy-rsa. > > -dsr- Sure - but it just seems silly to use ssh-keygen, then openssl to convert it to the right format when openssl (or the easy-rsa wrapper thereto) can do all the work for you in one go. -- |_|O|_| Registered Linux user #585947 |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281
Re: OpenVPN & Debian Stretch
On Wed, Sep 05, 2018 at 12:29:02AM -, Dan Purgert wrote: > Dan Ritter wrote: > > On Tue, Sep 04, 2018 at 07:42:58PM -0400, Wayne Sallee wrote: > >> Has anyone set up OpenVPN with ssh-keygen -t rsa ? > >> > > > > Technically, you can do that. > > ssh-keygen generates ssh keys, not x.509 certificates ... An x.509 cert contains an RSA key signed by a CA. openssl can do the signing, at which point you've half-reimplemented easy-rsa. -dsr-
Re: OpenVPN & Debian Stretch
Dan Ritter wrote: > On Tue, Sep 04, 2018 at 07:42:58PM -0400, Wayne Sallee wrote: >> Has anyone set up OpenVPN with ssh-keygen -t rsa ? >> > > Technically, you can do that. ssh-keygen generates ssh keys, not x.509 certificates ... -- |_|O|_| Registered Linux user #585947 |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281
Re: OpenVPN & Debian Stretch
On Tue, Sep 04, 2018 at 07:42:58PM -0400, Wayne Sallee wrote: > Has anyone set up OpenVPN with ssh-keygen -t rsa ? > Technically, you can do that. In practice, you need to have a CA set up, of which easy-rsa is the simplest choice. Why? Revocation. Let's suppose you have an SSH server. Because you are cautious, you require SSH key auth. One day your laptop is stolen. It has an SSH private key on it, so you go over to ~/.ssh/authorized_keys and delete the matching public key. Good, you have secured your server against unauthorized use of your account. OpenVPN doesn't do that. OpenVPN assumes that any properly signed certificate is wonderful, and you can't get rid of one just by removing a cert entry on your side. Instead, you need to formally revoke the certificate, and keep it revoked until it reaches its expiration date. https://community.openvpn.net/openvpn/wiki/Hardening -dsr-
Re: OpenVPN & Debian Stretch
Has anyone set up OpenVPN with ssh-keygen -t rsa ? Wayne Sallee wa...@waynesallee.com http://www.WayneSallee.com On 09/04/2018 07:34 PM, Dan Purgert wrote: Josh W. wrote: Debian Users, I am having a terrible time setting up a free VPN Service! Could "Any Body" point me to an UP To Date way. to set up OpenVPN on Debian Stretch? Your Help is Much Needed!!! Thank you! Joshua apt-get install openvpn-server Should be enough to get the server going with bogus certs. Then you just have to generate yourself some certs to use (CA, Server, and Client(s)). I think the generally easy approach to the cert generation is easy-rsa (which is a separate package these days).
Re: OpenVPN & Debian Stretch
Josh W. wrote: > Debian Users, > I am having a terrible time setting up a free VPN Service! Could > "Any Body" point me to an UP To Date way. to set up OpenVPN on Debian > Stretch? Your Help is Much Needed!!! Thank you! > > Joshua > apt-get install openvpn-server Should be enough to get the server going with bogus certs. Then you just have to generate yourself some certs to use (CA, Server, and Client(s)). I think the generally easy approach to the cert generation is easy-rsa (which is a separate package these days). -- |_|O|_| Registered Linux user #585947 |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281
Re: OpenVPN & Debian Stretch
On Tue, Sep 04, 2018 at 05:47:37PM -0500, Josh W. wrote: > Debian Users, > I am having a terrible time setting up a free VPN Service! Could > "Any Body" point me to an UP To Date way. to set up OpenVPN on Debian > Stretch? Your Help is Much Needed!!! Thank you! sudo apt install openvpn easy-rsa Then follow basically any configuration guide. -dsr-
