Closed uofm-matt closed 1 year ago
TinCanTech
commented
1 year ago @uofm-matt The problem is caused by an old version of EasyRSA, which does not support OpenSSL v3.
Update your copy of easyrsa to version 3.1.1:
https://github.com/OpenVPN/easy-rsa/releases/tag/v3.1.1
You can also use EasyRSA v3.1.1 to remove the password from your certificate.
uofm-matt
commented
1 year ago Okay, now I have another error after forcing it to 3.1.1 of EasyRSA from 3.0.7 of EasyRSA. The CA and Key are not getting put into the OVPN file. This was done on a brand new install of Ubuntu 22.04.01.
Easy-RSA error:
Option conflict: 'build-client-full' does not support setting an external commonName
EasyRSA Version Information Version: 3.1.1 Generated: Thu Oct 13 06:37:48 CDT 2022 SSL Lib: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) Git Commit: 2083fb29b512c5b2fccf65db8e5f89771fbf90f5 Source Repo: https://github.com/OpenVPN/easy-rsa Host: 3.1.1 | nix | Linux | /bin/bash | OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) Client client2 added. awk: fatal: cannot open file `/etc/openvpn/easy-rsa/pki/issued/client2.crt' for reading: No such file or directory cat: /etc/openvpn/easy-rsa/pki/private/client2.key: No such file or directory
The configuration file has been written to /home/ubuntu/client2.ovpn. Download the .ovpn file and import it in your OpenVPN client.
TinCanTech
commented
1 year ago @uofm-matt That is a real bug.
The original bug is that Easy-RSA allowed this to be done, even though it was not technically supported.
There is an upstream bug report: https://github.com/OpenVPN/easy-rsa/issues/731
WhiteBlackGoose
commented
1 year ago any known workaround yet? :sweat_smile:
TinCanTech
commented
1 year ago As a work-around, remove set_var EASYRSA_REQ_CN "foo" from the scripted vars file.
EASYRSA_REQ_CN should NEVER have been allowed in a vars file.
WhiteBlackGoose
commented
1 year ago Thanks, sorry, where do I find vars file?
WhiteBlackGoose
commented
1 year ago in /etc/openvpn/easy-rsa/pki/vars there's no such line as far as I see
TinCanTech
commented
1 year ago @WhiteBlackGoose Sorry, if the vars file does not contain this line then you are not having the same problem.
Can you post your angristan terminal output ?
WhiteBlackGoose
commented
1 year ago Here's my output
* Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/pki/vars
Easy-RSA error:
Missing expected CA file: ca.crt (perhaps you need to run build-ca?)
Run without commands for usage and command help.
EasyRSA Version Information
Version: 3.1.1
Generated: Thu Oct 13 06:37:48 CDT 2022
SSL Lib: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Git Commit: 2083fb29b512c5b2fccf65db8e5f89771fbf90f5
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.1 | nix | Linux | /bin/bash | OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Client samsung-debian added.
cat: /etc/openvpn/easy-rsa/pki/ca.crt: No such file or directory
awk: fatal: cannot open file `/etc/openvpn/easy-rsa/pki/issued/samsung-debian.crt' for reading: No such file or directory
cat: /etc/openvpn/easy-rsa/pki/private/samsung-debian.key: No such file or directory
The configuration file has been written to /home/goose/samsung-debian.ovpn.
Download the .ovpn file and import it in your OpenVPN client.The script failed before you tried to add a new client.
What was the first error ?
Try removing and starting over.
Also, include your input command.
WhiteBlackGoose
commented
1 year ago There was no output before. The line before the first line of my output is
Select an option [1-2]: 1Also, include your input command.
Sorry, what is that? I run just ./openvpn-install (under superuser)
WhiteBlackGoose
commented
1 year ago Tried removing the user and adding, same.
Also tried purging /etc/openvpn/easy-rsa and downloading and unpacking again (3.1.1) again, no other result
TinCanTech
commented
1 year ago If this is your first time using this script then you can remove the angristan installation and then try from the beginning.
WhiteBlackGoose
commented
1 year ago I removed /etc/openvpn and tried from scratch. Same error. Then I replaced its easy-rsa with the 3.1.1 one. Same error
TinCanTech
commented
1 year ago As previously stated, please include:
WhiteBlackGoose
commented
1 year ago I still don't know what you mean "Command used as input"
I run it as ./openvpn-install.sh
Here's the full output:
Welcome to OpenVPN-install!
The git repository is available at: https://github.com/angristan/openvpn-install
It looks like OpenVPN is already installed.
What do you want to do?
1) Add a new user
2) Revoke existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]: 1
Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
[?2004hClient name: samsung-debian
[?2004l
Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
[?2004l
[?2004hSelect an option [1-2]: 1
[?2004l
tail: cannot open '/etc/openvpn/easy-rsa/pki/index.txt' for reading: No such file or directory
* No Easy-RSA 'vars' configuration file exists!
Easy-RSA error:
EASYRSA_PKI does not exist (perhaps you need to run init-pki)?
Expected to find the EASYRSA_PKI at: /etc/openvpn/easy-rsa/pki
Run easyrsa without commands for usage and command help.
EasyRSA Version Information
Version: 3.1.1
Generated: Thu Oct 13 06:37:48 CDT 2022
SSL Lib: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Git Commit: 2083fb29b512c5b2fccf65db8e5f89771fbf90f5
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.1 | nix | Linux | /bin/bash | OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Client samsung-debian added.
cat: /etc/openvpn/easy-rsa/pki/ca.crt: No such file or directory
awk: fatal: cannot open file `/etc/openvpn/easy-rsa/pki/issued/samsung-debian.crt' for reading: No such file or directory
cat: /etc/openvpn/easy-rsa/pki/private/samsung-debian.key: No such file or directory
The configuration file has been written to /home/goose/samsung-debian.ovpn.
Download the .ovpn file and import it in your OpenVPN client.Running as superuser
TinCanTech
commented
1 year ago Try option 3 - Remove OpenVPN
Then try re-installing from scratch.
Beware that will remove all current server and users.
WhiteBlackGoose
commented
1 year ago Actually, just tried :sweat_smile:
and then removed /etc/openvpn
Then, using this script, installed. Replaced easy-rsa with 3.1.1. Same error
TinCanTech
commented
1 year ago As previously stated, please include:
* The command used as **input** * The full terminal **output**
again ....
WhiteBlackGoose
commented
1 year ago
- The command used as input
Again... I do not know what you mean "command used as input". Nothing changed since then - I still don't know. Please, tell what you mean.
- The full terminal output
One second, will do
WhiteBlackGoose
commented
1 year ago
- The command used as input
Again... I do not know what you mean "command used as input". Nothing changed since then - I still don't know. Please, tell what you mean.
- The full terminal output
One second, will do
TinCanTech
commented
1 year ago One second later .. did not do ..
TinCanTech
commented
1 year ago Not all disros are equal.
Here is a full log on debian 11, which uses EasyRSA 3.0.7 and OpenSSL 1.1.1:
root@deb11:~/angristan# apt install curl
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
liblzo2-2 libpkcs11-helper1 linux-image-5.10.0-18-amd64 opensc opensc-pkcs11
Use 'apt autoremove' to remove them.
The following NEW packages will be installed:
curl
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 269 kB of archives.
After this operation, 439 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bullseye/main amd64 curl amd64 7.74.0-1.3+deb11u3 [269 kB]
Fetched 269 kB in 0s (1,394 kB/s)
Selecting previously unselected package curl.
(Reading database ... 42789 files and directories currently installed.)
Preparing to unpack .../curl_7.74.0-1.3+deb11u3_amd64.deb ...
Unpacking curl (7.74.0-1.3+deb11u3) ...
Setting up curl (7.74.0-1.3+deb11u3) ...
Processing triggers for man-db (2.9.4-2) ...
root@deb11:~/angristan# ./openvpn-install.sh
Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install
I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.
I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: 10.1.101.28
It seems this server is behind NAT. What is its public IPv4 address or hostname?
We need it for the clients to connect to the server.
Public IPv4 address or hostname: 88.88.88.88
Checking for IPv6 connectivity...
Your host does not appear to have IPv6 connectivity.
Do you want to enable IPv6 support (NAT)? [y/n]: n
What port do you want OpenVPN to listen to?
1) Default: 1194
2) Custom
3) Random [49152-65535]
Port choice [1-3]: 1
What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
1) UDP
2) TCP
Protocol [1-2]: 1
What DNS resolvers do you want to use with the VPN?
1) Current system resolvers (from /etc/resolv.conf)
2) Self-hosted DNS Resolver (Unbound)
3) Cloudflare (Anycast: worldwide)
4) Quad9 (Anycast: worldwide)
5) Quad9 uncensored (Anycast: worldwide)
6) FDN (France)
7) DNS.WATCH (Germany)
8) OpenDNS (Anycast: worldwide)
9) Google (Anycast: worldwide)
10) Yandex Basic (Russia)
11) AdGuard DNS (Anycast: worldwide)
12) NextDNS (Anycast: worldwide)
13) Custom
DNS [1-12]: 11
Do you want to use compression? It is not recommended since the VORACLE attack makes use of it.
Enable compression? [y/n]: n
Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.
Customize encryption settings? [y/n]: n
Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
Get:1 http://security.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Hit:2 http://deb.debian.org/debian bullseye InRelease
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Fetched 92.4 kB in 1s (159 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
ca-certificates is already the newest version (20210119).
The following packages were automatically installed and are no longer required:
liblzo2-2 libpkcs11-helper1 linux-image-5.10.0-18-amd64 opensc opensc-pkcs11
Use 'apt autoremove' to remove them.
The following additional packages will be installed:
dirmngr gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm libassuan0 libksba8
libnpth0 pinentry-curses
Suggested packages:
dbus-user-session pinentry-gnome3 tor parcimonie xloadimage scdaemon pinentry-doc
The following NEW packages will be installed:
dirmngr gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm libassuan0 libksba8
libnpth0 pinentry-curses
0 upgraded, 14 newly installed, 0 to remove and 0 not upgraded.
Need to get 7,665 kB of archives.
After this operation, 15.7 MB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bullseye/main amd64 libassuan0 amd64 2.5.3-7.1 [50.5 kB]
Get:2 http://deb.debian.org/debian bullseye/main amd64 gpgconf amd64 2.2.27-2+deb11u2 [548 kB]
Get:3 http://deb.debian.org/debian bullseye/main amd64 libksba8 amd64 1.5.0-3+deb11u1 [123 kB]
Get:4 http://deb.debian.org/debian bullseye/main amd64 libnpth0 amd64 1.6-3 [19.0 kB]
Get:5 http://deb.debian.org/debian bullseye/main amd64 dirmngr amd64 2.2.27-2+deb11u2 [763 kB]
Get:6 http://deb.debian.org/debian bullseye/main amd64 gnupg-l10n all 2.2.27-2+deb11u2 [1,086 kB]
Get:7 http://deb.debian.org/debian bullseye/main amd64 gnupg-utils amd64 2.2.27-2+deb11u2 [905 kB]
Get:8 http://deb.debian.org/debian bullseye/main amd64 gpg amd64 2.2.27-2+deb11u2 [928 kB]
Get:9 http://deb.debian.org/debian bullseye/main amd64 pinentry-curses amd64 1.1.0-4 [64.9 kB]
Get:10 http://deb.debian.org/debian bullseye/main amd64 gpg-agent amd64 2.2.27-2+deb11u2 [669 kB]
Get:11 http://deb.debian.org/debian bullseye/main amd64 gpg-wks-client amd64 2.2.27-2+deb11u2 [524 kB]
Get:12 http://deb.debian.org/debian bullseye/main amd64 gpg-wks-server amd64 2.2.27-2+deb11u2 [516 kB]
Get:13 http://deb.debian.org/debian bullseye/main amd64 gpgsm amd64 2.2.27-2+deb11u2 [645 kB]
Get:14 http://deb.debian.org/debian bullseye/main amd64 gnupg all 2.2.27-2+deb11u2 [825 kB]
Fetched 7,665 kB in 2s (4,245 kB/s)
Selecting previously unselected package libassuan0:amd64.
(Reading database ... 42797 files and directories currently installed.)
Preparing to unpack .../00-libassuan0_2.5.3-7.1_amd64.deb ...
Unpacking libassuan0:amd64 (2.5.3-7.1) ...
Selecting previously unselected package gpgconf.
Preparing to unpack .../01-gpgconf_2.2.27-2+deb11u2_amd64.deb ...
Unpacking gpgconf (2.2.27-2+deb11u2) ...
Selecting previously unselected package libksba8:amd64.
Preparing to unpack .../02-libksba8_1.5.0-3+deb11u1_amd64.deb ...
Unpacking libksba8:amd64 (1.5.0-3+deb11u1) ...
Selecting previously unselected package libnpth0:amd64.
Preparing to unpack .../03-libnpth0_1.6-3_amd64.deb ...
Unpacking libnpth0:amd64 (1.6-3) ...
Selecting previously unselected package dirmngr.
Preparing to unpack .../04-dirmngr_2.2.27-2+deb11u2_amd64.deb ...
Unpacking dirmngr (2.2.27-2+deb11u2) ...
Selecting previously unselected package gnupg-l10n.
Preparing to unpack .../05-gnupg-l10n_2.2.27-2+deb11u2_all.deb ...
Unpacking gnupg-l10n (2.2.27-2+deb11u2) ...
Selecting previously unselected package gnupg-utils.
Preparing to unpack .../06-gnupg-utils_2.2.27-2+deb11u2_amd64.deb ...
Unpacking gnupg-utils (2.2.27-2+deb11u2) ...
Selecting previously unselected package gpg.
Preparing to unpack .../07-gpg_2.2.27-2+deb11u2_amd64.deb ...
Unpacking gpg (2.2.27-2+deb11u2) ...
Selecting previously unselected package pinentry-curses.
Preparing to unpack .../08-pinentry-curses_1.1.0-4_amd64.deb ...
Unpacking pinentry-curses (1.1.0-4) ...
Selecting previously unselected package gpg-agent.
Preparing to unpack .../09-gpg-agent_2.2.27-2+deb11u2_amd64.deb ...
Unpacking gpg-agent (2.2.27-2+deb11u2) ...
Selecting previously unselected package gpg-wks-client.
Preparing to unpack .../10-gpg-wks-client_2.2.27-2+deb11u2_amd64.deb ...
Unpacking gpg-wks-client (2.2.27-2+deb11u2) ...
Selecting previously unselected package gpg-wks-server.
Preparing to unpack .../11-gpg-wks-server_2.2.27-2+deb11u2_amd64.deb ...
Unpacking gpg-wks-server (2.2.27-2+deb11u2) ...
Selecting previously unselected package gpgsm.
Preparing to unpack .../12-gpgsm_2.2.27-2+deb11u2_amd64.deb ...
Unpacking gpgsm (2.2.27-2+deb11u2) ...
Selecting previously unselected package gnupg.
Preparing to unpack .../13-gnupg_2.2.27-2+deb11u2_all.deb ...
Unpacking gnupg (2.2.27-2+deb11u2) ...
Setting up libksba8:amd64 (1.5.0-3+deb11u1) ...
Setting up libnpth0:amd64 (1.6-3) ...
Setting up libassuan0:amd64 (2.5.3-7.1) ...
Setting up gnupg-l10n (2.2.27-2+deb11u2) ...
Setting up gpgconf (2.2.27-2+deb11u2) ...
Setting up gpg (2.2.27-2+deb11u2) ...
Setting up gnupg-utils (2.2.27-2+deb11u2) ...
Setting up pinentry-curses (1.1.0-4) ...
Setting up gpg-agent (2.2.27-2+deb11u2) ...
Created symlink /etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket → /usr/lib/systemd/user/gpg-agent-browser.socket.
Created symlink /etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket → /usr/lib/systemd/user/gpg-agent-extra.socket.
Created symlink /etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket → /usr/lib/systemd/user/gpg-agent-ssh.socket.
Created symlink /etc/systemd/user/sockets.target.wants/gpg-agent.socket → /usr/lib/systemd/user/gpg-agent.socket.
Setting up gpgsm (2.2.27-2+deb11u2) ...
Setting up dirmngr (2.2.27-2+deb11u2) ...
Created symlink /etc/systemd/user/sockets.target.wants/dirmngr.socket → /usr/lib/systemd/user/dirmngr.socket.
Setting up gpg-wks-server (2.2.27-2+deb11u2) ...
Setting up gpg-wks-client (2.2.27-2+deb11u2) ...
Setting up gnupg (2.2.27-2+deb11u2) ...
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for libc-bin (2.31-13+deb11u5) ...
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
ca-certificates is already the newest version (20210119).
curl is already the newest version (7.74.0-1.3+deb11u3).
iptables is already the newest version (1.8.7-1).
openssl is already the newest version (1.1.1n-0+deb11u3).
wget is already the newest version (1.21-1+deb11u1).
The following package was automatically installed and is no longer required:
linux-image-5.10.0-18-amd64
Use 'apt autoremove' to remove it.
The following additional packages will be installed:
easy-rsa
Suggested packages:
resolvconf openvpn-systemd-resolved
The following NEW packages will be installed:
easy-rsa openvpn
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 45.2 kB/644 kB of archives.
After this operation, 1,797 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bullseye/main amd64 easy-rsa all 3.0.8-1 [45.2 kB]
Fetched 45.2 kB in 0s (420 kB/s)
Preconfiguring packages ...
Selecting previously unselected package easy-rsa.
(Reading database ... 43048 files and directories currently installed.)
Preparing to unpack .../easy-rsa_3.0.8-1_all.deb ...
Unpacking easy-rsa (3.0.8-1) ...
Selecting previously unselected package openvpn.
Preparing to unpack .../openvpn_2.5.1-3_amd64.deb ...
Unpacking openvpn (2.5.1-3) ...
Setting up openvpn (2.5.1-3) ...
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn.service → /lib/systemd/system/openvpn.service.
Setting up easy-rsa (3.0.8-1) ...
Processing triggers for man-db (2.9.4-2) ...
--2022-12-21 19:08:05-- https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/0fa24e00-72ba-11ea-9afe-6e5829eec4a4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221221%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221221T190805Z&X-Amz-Expires=300&X-Amz-Signature=e4064eef98e5721832ea4763cb6c5e065d28d7d7283b2c00a515f586b836b432&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=4519663&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.0.7.tgz&response-content-type=application%2Foctet-stream [following]
--2022-12-21 19:08:05-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/0fa24e00-72ba-11ea-9afe-6e5829eec4a4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221221%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221221T190805Z&X-Amz-Expires=300&X-Amz-Signature=e4064eef98e5721832ea4763cb6c5e065d28d7d7283b2c00a515f586b836b432&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=4519663&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.0.7.tgz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.110.133, 185.199.108.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 48215 (47K) [application/octet-stream]
Saving to: ‘/root/easy-rsa.tgz’
/root/easy-rsa.tgz 100%[=================================================>] 47.08K --.-KB/s in 0.005s
2022-12-21 19:08:05 (8.53 MB/s) - ‘/root/easy-rsa.tgz’ saved [48215/48215]
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
Using SSL: openssl OpenSSL 1.1.1n 15 Mar 2022
read EC key
writing EC key
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1n 15 Mar 2022
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-12044.Yj6DI4/tmp.1JF5lo'
-----
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-12044.Yj6DI4/tmp.7ai3v6
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server_FTrLM2ECmDQl4tYB'
Certificate is to be certified until Mar 25 19:08:06 2025 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1n 15 Mar 2022
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-12121.TiLZgJ/tmp.uum7hf
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
2022-12-21 19:08:06 WARNING: Using --genkey --secret filename is DEPRECATED. Use --genkey secret filename instead.
* Applying /usr/lib/sysctl.d/50-pid-max.conf ...
kernel.pid_max = 4194304
* Applying /etc/sysctl.d/99-openvpn.conf ...
net.ipv4.ip_forward = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /usr/lib/sysctl.d/protect-links.conf ...
fs.protected_fifos = 1
fs.protected_hardlinks = 1
fs.protected_regular = 2
fs.protected_symlinks = 1
* Applying /etc/sysctl.conf ...
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service → /etc/systemd/system/openvpn@.service.
Created symlink /etc/systemd/system/multi-user.target.wants/iptables-openvpn.service → /etc/systemd/system/iptables-openvpn.service.
Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: cl1
Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2]: 1
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1n 15 Mar 2022
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-12245.3R5Jec/tmp.PbKaUz'
-----
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-12245.3R5Jec/tmp.9q40Yg
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'cl1'
Certificate is to be certified until Mar 25 19:08:19 2025 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Client cl1 added.
The configuration file has been written to /root/cl1.ovpn.
Download the .ovpn file and import it in your OpenVPN client.
root@deb11:~/angristan# It takes time. I just hoped, that within that time you could explain what you mean by input command, which you request me to show.
Here's the full output
WhiteBlackGoose
commented
1 year ago To run the script, I do
./openvpn-install.sh < inputwhere input is
192.168.2.16
my-public-ip
n
2
1195
1
1
n
n
samsung-debian
1OpenSSL's version is 3.0.2
WhiteBlackGoose
commented
1 year ago Thanks so much for your help, by the way. I'm quite lost though with these errors :sob:
I can file a separate bug report
TinCanTech
commented
1 year ago I can file a separate bug report
Better if we focus on this thread.
WhiteBlackGoose
commented
1 year ago Sorry - do you mean I should make a separate issue or not?
TinCanTech
commented
1 year ago Can you please uninstall/re-install.
Do not use your input-text, simply run the script and answer manually.
Remove your public IP address from the output, easy to find..
TinCanTech
commented
1 year ago Do not make another issue.
WhiteBlackGoose
commented
1 year ago It was a re-install. I removed openvpn with the script, and then manually deleted /etc/openvpn. The output you see is entirely from scratch.
Do not use your input-text, simply run the script and answer manually.
How do I collect the output then? The output is the same as when I do it manually.
TinCanTech
commented
1 year ago Finally,
from your previous log file, I can categorically state that OpenSSL 3.0.2 and EasyRSA 3.0.7, are totally incompatible.
Only EasyRSA 3.1.1+ supports OpenSSL 3.x
How @angristan wants to address that, I don't know..
@WhiteBlackGoose thank you for co-operating :+1:
WhiteBlackGoose
commented
1 year ago Thank you too!
By the way. This fork did the magic (original patch). And guess what - it works! I now have working VPN.
Thanks to people who make and improve this script.
TinCanTech
commented
1 year ago The fix above appears to take the correct approach.
angristan
commented
1 year ago
Make sure your check these beforehand!
Server OS
Ubuntu 22.04
OpenVPN version
2.5.5
Client
OpenVPN 2.5.5 on Ubuntu
What is the bug?
During the install process, the script is now asking for "Enter PEM pass phrase:". When you press enter (no entry), after all is said and done, the client won't connect with the log text below. The script worked on another host as recently as yesterday.
Relevant log output