OpenVPN and easy-rsa Stretch to Buster migration¶
Introduction¶
This page documents how a working OpenVPN and easy-rsa system was migrated from Stretch to Buster.
The difficultyWe're still working on a proper upgrade mechanism from 3.0.5 to 3.0.6. There were changes made that we didn't consider impacted upgrade
There is an upgrade mechanism in place and available in the v3.0.7 release
- https://packages.debian.org/search?keywords=easy-rsa&searchon=names&suite=all§ion=all showed Debian using 3.0.6 in stable, testing and unstable so no backports solution.
- Searched for alternatives. The best summary was in the "OpenVPN Alternatives" table in https://thebestvpn.com/reviews/openvpn (Jan 2020).
- SoftEther was rejected because it had no management GUI for Linux. Neither does OpenVPN but any new solution should have
- WireGuard was rejected as not yet mature enough for production
Names: the package is easy-rsa, the script is easyrsa
Given that we use only three of easyrsa's commands -- build-client-full, revoke and gen-crl -- we worked around the easyrsa breakage by creating /usr/local/bin/local-easyrsa and using it instead of package script. local-easyrsa is at https://redmine.auroville.org.in/attachments/download/6676/_usr_local_bin_local-easyrsa
Implementation¶
After stopping openvpn.service and syncing the /etc/openvpn tree from the Stretch server
mv /etc/openvpn/easy-rsa/pki/private/{ca.key,cakey.pem}
mv /etc/openvpn/easy-rsa/pki/{ca.crt,cacert.pem}
mkdir -p /etc/openvpn/easy-rsa/pki/newcerts /var/log/local-easyrsa
echo 00 > /etc/openvpn/easy-rsa/pki/crlnumber
ln -s /usr/local/bin/local-easyrsa /etc/openvpn/easy-rsa/local-easyrsa
systemctl start openvpn.service
We were then able to use local-easyrsa in the same way as we had previously used easyrsa