Re: [Openvpn-users] Using easyrsa3 - how to set longer expiration than 10 years?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with Proton Mail secure email. --- Original Message --- On Saturday, October 7th, 2023 at 07:20, Bo Berglund wrote: > On Fri, 06 Oct 2023 20:59:48 +, tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > On Friday, October 6th, 2023 at 21:17, Bo Berglund bo.bergl...@gmail.com > > wrote: > > > > > In easyrsa2 one could enter a longer expiration than 3650 days by editing > > > the > > > vars file and changing these entries > > > > > > export CA_EXPIRE=3650 > > > export KEY_EXPIRE=3650 > > > > > > to a different value like 7300 (20 years). > > > > > > How is it done correctly using easyrsa3? > > > > > > Like this? > > > > > > - rename vars.example to vars > > > - Activate lines and values: > > > set_var EASYRSA_CA_EXPIRE 7300 > > > set_var EASYRSA_CERT_EXPIRE 7200 > > > > That will also set standard certificate expiry to 7200 days. > > > > For the CA only, you could use `easyrsa --days=7300 build-ca` > > > > Option --days can be used by any command that require an expiration date. > > > It turned out that when I ran the initial > > easyrsa init-pki > > it complained about me having modified vars.example and created a vars file... > So I reverted those changes and ran the command again. > This produced a pki dir where there was a vars file, which seems to be the > one I > can edit to change the expiration. > I did not want to run init-pki until I had changed the expiration since I did > not know what could be changed afterwards... > > Now OK after editing the vars file there. > > > > I have noted that these two have defaults of 3650 and 825 days > > > respectively, > > > what is the reason for that and will my suggested expirations above not > > > work? > > > > They apply to different certificates, as shown above. > > > Yes, I understand that but I wondered why there was such a big difference in > expiration in the default for these two... Generally accepted standards. Note: The next release of Easy-RSA will not complain about the location of the vars file. Until then, you can simply ignore the message. > > > Additional question: > > This is the first device on which I install OpenVPN using easyrsa3. > Earlier some months ago I migrated from easyrsa2 to easyrsa3 on existing > servers. And that was successful with your help after fixing some problems > with > the migration function. > I wrote a client creation script that runs the full process of generating the > client OVPN file and it works just fine. > > Now I am trying to set up a new server for my daughter and I have run into a > problem of understanding again > > My server.conf files contain references to cryptography like shown below and I > have found the easyrsa3 locations for the new server after running these > creation commands from earlier discussions: > > easyrsa --nopass build-ca (enter the CN JennyVPN when asked) > easyrsa --nopass build-server-full JennyVPN > openvpn --genkey tls-crypt tls-crypt.key > > dh /etc/openvpn/keys/dh2048.pem ? > tls-auth /etc/openvpn/keys/ta.key 0 ? > > Where can I find the two missing files for dh and tls-auth? > Or have I misunderstood the procedure? And --tls-crypt ... As for *your* procedure, I recommend you review your apparent use of --tls-auth verses --tls-crypt. Probably, check out the OpenVPN manual. Use of these two keys is mutually exclusive. DH param file: `easyrsa gen-dh` regards > > TIA > > > -- > Bo Berglund > Developer in Sweden > > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlIVymCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAC/Igf+PZYIpmfAxL9dkncDnTCUEMYCq7VKrAyWLRi4JrEIt0fjI2/u OgTnzAbLL4kdepEqOqeIf4tYrpER4PHl3fYZj9HT2CXpstSc28PJYHMQuLHk HduCPWOV2uMUDEFbY/dGLbWwKGMbj5gSDyIab0+CTXALdHYLAPHuHxF4yFaO Ve3hSz/vszMQKmq2NpOFC0N2c/QMAOk034chanv4XtmFGWoFe4+qJbzW3Yoh Gzs6Z6o33ILZc6L7pgqCeyxscAzU+JjLeLC+5s40PqkZC/moLxexpyY/PwGr YiJAo+sL3xM3WnqhZCtLw7QQSKX0XU60/ePiDDaXQdOj4fAPiwVwQw== =HlQT -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Easy-RSA v3.1.7 pre-release notice
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello OpenVPN Users, --- Original Message --- On Saturday, October 7th, 2023 at 14:27, tincantech via Openvpn-users wrote: > Note: The next release of Easy-RSA will not complain about the location > of the vars file. Until then, you can simply ignore the message. If all goes well then Easy-RSA version 3.1.7 will be released on 2023/10/13. This will, hopefully, be the exact same script as is current master branch. You can try `easyrsa` from: * https://raw.githubusercontent.com/OpenVPN/easy-rsa/master/easyrsa3/easyrsa This script should run without the need for any further packaging. Please test this script and report any and all problems either here on the ML or to https://github.com/OpenVPN/easy-rsa/issues All commands are documented as follows: * `easyrsa` lists all the major commands, plus some helpful information. * `easyrsa help ` shows detailed help for each `` * `easyrsa help options` lists all the available options, with a short description. * `easyrsa help more` lists some extra commands. I am happy to answer questions about EasyRSA, prior to this major release. You can also use this thread for follow-up issues, once the release has been published. Thank you for your help and any feedback, kind regards, Richard. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlIZGeCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABzFQgAnTQS/oUfhFiUhXW+Tt1Y3XrEavfb60HLKQBxpFE8G/WlLVrU nLAZ4qkm8KIp3nIzOjcQLoDOe3LTS/iw/axrIY9e3kcv345sTG4LdB+fE7wh T9SbM0rLbNo/J0W0wlw2QB8LkkLKk6q4loAQjvmw5VkZWITzqKEuN/WAUrQD e3KcCNOy62tLakrXQQoN1J12anXN2sSNuiGABnXk2YFveljvhekfps20SWos G29o6GpRyxrPFEtKRK9Xgm5WLftMr3+ClOzOhc/GEhFLML7+JZax5VQ6X09C JiARZ0PiXgfPuu5Nz/4cO8vw7mZYwyT6H3FgjT1gxfRxHSAoB+a5fA== =6SgJ -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-RSA v3.1.7 pre-release notice
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This may be of use; The default user `vars` file can be created with command: * `easyrsa make-vars > ./vars` Redirect `./vars` to your preferred location. R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlIZqSCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABS3gf+PGzCwzZJdg8qFPJOGHxMxQ8IWjKcqbjHJc3hOlhbUjJGphCt wJxht3u70YTkRyFS2JVF+eQAHCtdAKe8QeVCZ3DKUywlYzrEIZzKXaM/Y0hg r9yvyDiqaxsX8xI0TTPhH9yMw8/HUbIevGnmsq1as/a8quq5HWc66PTxxrSA xPJg7P7HkVocIa/aV16mhrg1BYOaztHNe5gIN4W/SjQ9Ltglr8rrKVUiG7f7 tgt11QUoXAIOpRy4l/bZOF3O0sXwxp19xw499uqJiv8x1leUGt5IK/mM6IE7 +8s1sOlSm1RuMKyhFWU49T/2tbIaSHiTTcS0b8Xaw728PAhovpEqEA== =zkTg -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-RSA v3.1.7 pre-release notice
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 A brief and useful example: I choose to use elliptic curve ED448. This can be set in the `vars` file using set_var EASYRSA_ALGOed set_var EASYRSA_CURVE ed448 Or by command line: easyrsa --use-algo=ed --curve=ed448 --nopass --days=1 build-ca Continue to use those options on the command line for subsequent commands. Choose --days to serve your needs. I use --nopass for ease only, you can use passwords as you choose. Note; Command `init-pki` does not effect the crypto that will be used. The resulting PKI can be used along side OpenVPN option --tls-groups X448. Use the PKI from EasyRSA, along with --tls-groups option on the server side. Enjoy, R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlIa36CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADa9gf8C6TJp3v8vtqPCSypca1pK/NuyvM5T1BjzJgqWqgTiqb5QP5H aRcaiKb0WHMwGTt4rDOGz/sWnn6Wo7DqC76rFpn08luUXS2XkeWcmQ9Ro1Z4 6mbUSYJFwaRAW9eE85mDb7CT+RsnbaDUYjL64c5G/otia3LMwFgp5vKH21D8 wuiKTU26tPWoUd2oWZf9lDagaInbnXbXSqFcp585vSHvyRMwt9kM/i1ASr0p GQ/B/1ymduMNjI+35bvZODiQdz1AParsuznDArmvpFKTXylWN2gb3eqztj+E 5UPtiPo/HlITxyQ5aFpjNVcF5B68KTVbRFHT88sofVuJsmAeEq+cIA== =4f/t -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
