OpenBSD 7.1 + OpenVPN + Easy-RSA

uNdEr cOnStRuCtIoN What to tune: At first set EASYRSA to a defined path like set_var EASYRSA “/etc/openvpn/easy-rsa” or you will earn some errors. Then edit the EASYRSA_REQ_* section and add your values. Check the other stuff, tune it if you want. Theres btw no need to change the openssl-easyrsa.cnf and there’s no need (like in […]

OpenBSD // OpenVPN // EasyRSA || first steps

First of all: Read the fckn manual. Preparing the server # ./easyrsa init-pki # ./easyrsa build-ca nopass # ./easyrsa gen-req SERVERID nopass # ./easyrsa sign-req server SERVERID # ./easyrsa gen-crl # ./easyrsa gen-dh Preparing a client # ./easyrsa genreq CLIENTID # ./easyrsa sign-req client CLIENTID Revoking a client # ./easyrsa revoke CLIENTID # ./easyrsa gen-crl […]

OpenVPN | enable revocation – revoke a key

Add the following line to your servers conf: crl-verify /etc/openvpn/crl.pem Use the easyrsa ‘revoke-full ‘ command to revoke the key. Copy (NOT MOVE!) the crl.pem file from directory ‘keys’ to /etc/openvpn Restart the server Notice I: The next revocations will be added to the crl.pem file. There is no need to restart the server for […]

OpenVPN | log connection status

First method: Add the following lines to servers conf: status /var/log/status.log 5 status-version 2 Second method: Add the following lines to servers conf: client-connect /path/to/your/connect_script.sh client-disconnect /path/to/your/disconnect_script.sh Start your server with ‘–script-security 2’ The scripts must be owned by the same user running the server. If your scripts are writing log files, check the log […]